[BESAdmin-Announcements] Support for Microsoft Windows Secure Boot Certificate Updates
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Tue Mar 3 08:35:58 PST 2026
The BigFix Patch Team is pleased to announce the release of new content in
the *Patches for Windows* site to support the assessment and renewal of
Microsoft Secure Boot Certificates.
*Background*
Starting in June 2026, the three original Certificate Authorities (CAs)
provided by Microsoft for Secure Boot (KEK CA 2011, Windows Production PCA
2011, and UEFI CA 2011) will begin to expire. To maintain Secure Boot
functionality and ensure devices can continue to receive security updates
for boot components, systems must be updated to the new 2023 certificates.
*What is Included*
1. Assessment: Microsoft Windows Secure Boot Inventory Data
- Analysis ID: 660
- Site: Patches for Windows
- Details: This analysis allows you to monitor the transition and verify
the Secure Boot status across your environment. It retrieves critical data
points including UEFI CA 2023 Status, Error codes, Secure Boot enablement,
and OEM-specific firmware details.
2. Remediation: Windows Secure Boot certificate expiration and CA updates
- Fixlet ID: 506820201 (KB5068202)
- Site: Patches for Windows
- Details: This Fixlet automates the registry configuration
(`AvailableUpdates` set to `0x5944`) required to signal Windows to execute
the certificate update.
- Action: The Fixlet includes two actions, both of which require a
**reboot** to complete the firmware-level update process.
*Important Deployment Notes*
- *Test Before Mass Deployment*: Because this process involves
firmware/UEFI variables, we strongly recommend testing this content on
representative hardware models in your environment before a broad rollout.
- *OEM Compatibility*: Please consult your Original Equipment
Manufacturer (OEM) documentation to ensure your hardware supports these
Secure Boot updates.
- *Success Criteria*: Once the Fixlet is applied and the system is
rebooted, the `UEFICA2023Status` (tracked via Analysis 660) should
transition from `NotStarted` to `Updated`.
For full technical details, please refer to the official KB article:
[KB0129014 - BigFix Support for Windows Secure Boot Certificate Updates](
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129014
)
*Published site version:*
Patches for Windows, version 4680
*Additional Links:*
Microsoft Secure Boot Certificate updates: Guidance for IT professionals
and organizations
<https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20260303/ac494d5d/attachment.html>
More information about the Besadmin-announcements
mailing list