Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
Matt_Rinaldi's avatar
Matt_Rinaldi
Copper Contributor
Mar 10, 2026

Hello,

I'm looking for some additional clarity regarding the HighConfidenceOptOut registry key. Specifically, if I want to fully manage the Secure Boot certificate rollout in my environment, do I need to ensure that both the AvailableUpdates and HighConfidenceOptOut registry keys are configured (0 and 1, respectively) to prevent automatic certificate deployment?

Note: Our environment leverages SCCM/WSUS for device management and patching, we do not leverage Windows Update/Autopatch for patch deployments

 

My understanding is based on the documentation:

 

AvailableUpdates

0 or not set - No Secure Boot key update are performed.

 

We already have AvailableUpdates configured with a value of 0. However, we currently do not have the HighConfidenceOptOut key configured.

 

HighConfidenceOptOut

An opt-out option for enterprises that want to prevent automatic application of high-confidence buckets delivered as part of the LCU.

0 or key does not exist – Opt in
1 – Opt out

 

After installing the February Cumulative Update (KB5075941), a subset of devices in my environment automatically installed the updated certificates, even though AvailableUpdates is set to 0. My assumption was that this key alone would prevent any automatic certificate updates, regardless of the HighConfidenceOptOut setting. Given what I'm seeing, I may be mistaken.

I also saw in the KB5075941 release notes that new Secure Boot changes were introduced, but again, my expectation was that configuring AvailableUpdates = 0 would block any automatic updates.

Could you clarify whether both keys are required to fully prevent automatic certificate deployment?

Thank you.

  • Arden_White's avatar
    Arden_White
    Icon for Microsoft rankMicrosoft
    Mar 10, 2026

    Hi Matt,

    AvailableUpdates is the mechanism that actually causes Secure Boot certificate updates to be applied. The key always exists, and when it remains at its default value of 0, Windows is not being instructed to apply updates. There is no need to explicitly configure it to 0 in this scenario.

    However, some delivery paths can set AvailableUpdates on your behalf.

    High Confidence updates are one of those paths. When a device is identified as eligible for a High Confidence update delivered via the LCU, Windows can automatically set AvailableUpdates unless you explicitly opt out.

    Setting HighConfidenceOptOut=1 prevents the High Confidence feature from setting AvailableUpdates automatically. Without this opt-out, High Confidence processing can still trigger certificate deployment even though you have not intentionally enabled deployment.

    For managed deployments:

    • Enabling the Enable Secure Boot Certificate Deployment GPO sets AvailableUpdatesPolicy, which in turn sets AvailableUpdates.
    • Microsoft Intune behaves the same way by setting AvailableUpdatesPolicy, which then drives AvailableUpdates.

    So, if your goal is to fully prevent any automatic Secure Boot certificate deployment and manage rollout entirely yourself, you should:

    • Leave AvailableUpdates at its default value
    • Set HighConfidenceOptOut=1

    This ensures that High Confidence processing does not implicitly trigger certificate deployment.

    Hope this helps clarify what you are seeing.

    Arden