Event details

It's time for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Pearl-Angeles
Updated Apr 15, 2026
AMA
Naotsugu's avatar
Naotsugu
Occasional Reader
Apr 21, 2026

Hi,

Could you please confirm if my understanding of KEK's update logic is correct?

 

- In a WSUS environment (IT management environment):

 

(1) Automatic (If High Confidence applies):

When Windows Update (LCU) is installed via WSUS, the OS determines its own hardware.

If it matches the High Confidence Database (and the administrator has not opted out), the OS automatically triggers the Secure Boot update.

 

(2) Manual (Using AvailableUpdates):

If it does not match High Confidence (or if waiting for automatic determination is not possible), after installing Windows Update (LCU) via WSUS and completing the file placement, the administrator manually sets AvailableUpdates to 0x5944 to forcibly trigger the update.

 

- For non-WSUS environments (Microsoft managed environments):

 

(1) Automatic (Basic):

When a regular Windows Update (LCU) is installed, Secure Boot updates are automatically triggered when the machine becomes eligible for the High Confidence Database.

 

(2) Manual (Exception):

Even in non-WSUS environments, if you absolutely want to apply the update immediately without waiting for automatic application (High Confidence certification), it is technically possible to force a trigger by setting the AvailableUpdates registry to 0x5944 with administrative privileges.

  • mihi's avatar
    mihi
    Brass Contributor
    Apr 22, 2026

    As a very general summary, this is roughly correct.

    • This does not only refer to the KEK update, but updates of all the Secure Boot keys. For KEK, there also needs to be a signature by the vendor of your firmware (its Platform Key) submitted to Microsoft so that the KEK can be updated.
    • Whether a device is considered managed or not depends not only on whether WSUS is used, but also whether the device is domain-joined and whether telemetry is enabled and actually usable, and maybe other factors
    • All the mentioned registry options (both for opting in via Available updates and for opting out) are available on all devices, managed or not
    • The main difference between managed and unmanaged devices is that unmanaged devices can also receive their update via Controlled Feature Rollout (if they are lucky/unlucky and telemetry suggests that it should be tried), resulting in potentially being updated before the LCU that sets them to high confidence reaches them. However, there is no way to enforce or trigger whether you will be Chosen a Guinea Pig for Microsoft or not (if you are an unmanaged device)
    • In case Microsoft considers your device managed, but you have telemetry enabled and explicitly want your device to be used as a Guinea Pig, you can set MicrosoftUpdateManagedOptIn registry key. This only has an effect if your device is considered managed.