Event details
If we're doing baremetal OS deployment using ConfigMgr or other solutions, what needs to be done so newly imaged workstations immediately contain the new secure boot certificates? I'm using the Windows 11 25H2 Enterprise image from the Microsoft VLSC updated with the 2026-02 updates (KB5077181) and no other modifications. I'm imaging a Dell system running the latest BIOS version. After imaging, I still get event ID 1801 indicating "Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware."
MicrosoftThis is a scenario that I have not thought through before. I believe, for bare‑metal deployments, this behavior is expected.
Key points:
- OS imaging does not modify Secure Boot firmware variables (DB, KEK, DBX). Those live in UEFI firmware and persist across reimaging.
- Windows 11 25H2 will automatically install the 2023‑signed boot manager if the 2023 Secure Boot certificates are already present in firmware.
- If the certificates are not present, Windows will detect that updates are available and log Event ID 1801 until Secure Boot servicing is triggered.
For ConfigMgr or other deployment solutions, the recommended approach is to trigger Secure Boot servicing after imaging by setting:
HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot AvailableUpdates = 0x5944
This causes the SecureBootUpdate scheduled task to run and determine what work is required. It will apply missing certificates to firmware and update the boot manager as needed. Once complete, the device will converge to the correct Secure Boot state without requiring image customization.
This is the simplest and supported way to ensure newly imaged devices are fully updated.