Policy
Enable Secure Boot Certificate Deployment
This policy setting allows you to enable or disable the Secure Boot Certificate Deployment process on devices. When enabled, Windows will automatically begin the certificate deployment process to devices where this policy has been applied. Note: This registry setting is not stored in a policy key, and this is considered a preference. Therefore, if the Group Policy Object that implements this setting is ever removed, this registry setting will remain. Note: The Windows task that runs and processes this setting, runs every 12 hours. In some cases, the updates will be held until the system reboots to safely sequence the updates. Note: Once the certificates are applied to the firmware, you cannot undo them from Windows. If clearing the certificates is necessary, it must be done from the firmware menu interface. For more information, see: https://aka.ms/GetSecureBoot
3c6fc7e4fc9a SecureBoot_AvailableUpdatesPolicy Registry
Copy registry mappings
HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdatesPolicy (enabled) = 22852
HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdatesPolicy (disabled) = 0Policy notes
This policy setting allows you to enable or disable the Secure Boot Certificate Deployment process on devices. When enabled, Windows will automatically begin the certificate deployment process to devices where this policy has been applied. Note: This registry setting is not stored in a policy key, and this is considered a preference. Therefore, if the Group Policy Object that implements this setting is ever removed, this registry setting will remain. Note: The Windows task that runs and processes this setting, runs every 12 hours. In some cases, the updates will be held until the system reboots to safely sequence the updates. Note: Once the certificates are applied to the firmware, you cannot undo them from Windows. If clearing the certificates is necessary, it must be done from the firmware menu interface. For more information, see: https://aka.ms/GetSecureBoot