Event details

Want to ensure you maintain a trusted boot environment for your Windows devices? Walk through essential guidance - including how to test firmware, monitor device readiness, deploy updated certificate...
Pearl-Angeles
Updated Mar 05, 2026
Technical Takeoff
link470's avatar
link470
Copper Contributor
Mar 09, 2026

I've watched the video and read the comments a few times, and I think I'm getting closer to understanding, but I still have some questions.  Let's assume the devices below are all released within the last few years, and have their BIOS/UEFI fully up to date and are on the manufacturer list of devices capable of installing 2023 secure boot certificates.

[1] Windows devices on an Active Directory domain (GPO managed, not InTune managed), with the Allow Diagnostic Data GPO set to Enabled and Diagnostic Data Off will never add the secure boot certificates to UEFI and update the boot loader automatically.  Is this correct?

[2] My understanding is that the GPO Automatic Certificate Deployment via Updates, if set to Not Configured, means that Windows will go ahead and add the secure boot certificates to UEFI and update the boot loader automatically come time that Microsoft deems a domain joined system is high confidence for success.  Is this correct?

[2.1] If the above is correct, will the secure boot certificates and boot loader update automatically even if the Enable Secure Boot Certificate Deployment GPO is set to Not Configured, and the Allow Diagnostic Data GPO is Enabled and set to Diagnostic Data Off?  If the answer is No, which of those two GPOs, or both, are required for successful automatic deployment when Microsoft deems the devices are in a high confidence bucket?  For the Allow Diagnostics Data GPO, if this is required, which level of diagnostics are required (required or optional)?

[3] Is the Allow Diagnostic Data GPO required to be set to Enabled and Send required diagnostic data or Send optional diagnostic data in order for the updated secure boot certificates and boot loader to be deployed and activated for any scenario, or does enabling the Enable Secure Boot Certificate Deployment GPO completely bypass the need for sending diagnostic data or Microsoft confidence buckets, and you're essentially saying "yes, I've updated the BIOS/UEFI on these machines, so my own confidence is high and I'm telling machines to go ahead and update the secure boot certificates and boot loader"?

[4] A regular, non-domain joined and non-Entra managed, residential consumer PC running Windows 11 doesn't need to do anything and will receive the certificates and boot loader update automatically, because that device is always sending at least the required level of diagnostic data, which can't be turned off.  Is this correct?

 

Thank you!

  • Arden_White's avatar
    Arden_White
    Icon for Microsoft rankMicrosoft
    Mar 09, 2026

    [1] If the device is not sending diagnostic data, there is still an alternate path for Secure Boot certificates to be applied. Devices can be included in the High Confidence database that is delivered with cumulative updates. When a device is identified as High Confidence, the Secure Boot certificates are applied automatically.

    For client devices, there is a relatively high likelihood of being classified as High Confidence. This is much less likely for server and IoT devices.

    [2] Yes. Automatic application occurs for devices that are determined to be High Confidence based on data from other similar devices.

    [2.1] The default Secure Boot behavior will automatically apply certificates for High Confidence devices. Leaving Automatic Certificate Deployment via Updates set to Not Configured or Disabled allows this path to function. Unless there is a strong reason to avoid relying on this mechanism, it is generally recommended.

    As you noted, Certificate Deployment via Controlled Feature Rollout must be Enabled, and Required diagnostic data must be sent for this option to work. This can be more difficult for some IT organizations, either due to data‑sharing policies or challenges ensuring diagnostic data reaches Microsoft.

    [3] Yes. Enabling Enable Secure Boot Certificate Deployment bypasses the need to send diagnostic data. This explicitly instructs the device to apply the Secure Boot certificates and the 2023‑signed boot manager. This option is appropriate when you have confidence that the device firmware can successfully process the update.

    [4] Yes, that is correct.

    Additional note on firmware updates
    Firmware updates are not required in most cases. They are primarily needed when there is a firmware defect that prevents Secure Boot certificates from being updated, or when you want the new certificates present in the firmware default variables. The default variables are used to initialize the active Secure Boot variables.

    I hope I've answered your questions.

    • link470's avatar
      link470
      Copper Contributor
      Mar 10, 2026

      Thanks very much, this helps a lot!

    • RayC15's avatar
      RayC15
      Brass Contributor
      Mar 09, 2026

      A follow-up question on [2],

      1. How often does high confidence database get updated?
      2. Does monthly cumulative update include this database update?
      3. How will the secure boot update be triggered when new device is added to the database? Does the database update will immediately trigger the secure boot update task or the secure boot update task will follow its regular schedule?
      4. When automatic Windows Update is turned off via group policy, does manually installing the cumulative KB automatically trigger the secure boot update during reboot?