Overview
Microsoft’s Secure Boot certificate rollover introduced an important security requirement for organizations managing Windows 11 devices. As legacy Microsoft Secure Boot certificates approach expiration in 2026, organizations must prepare their endpoints for the new certificate infrastructure used to trust future Windows bootloaders and signed components.
For our client, the objective was clear: complete the Windows 11 Secure Boot certificate update across all managed endpoints, minimize disruption to employees, and verify that every device successfully received the new Windows UEFI CA 2023 certificate.
Using ScaleFusion, our endpoint management platform, we managed the entire Secure Boot certificate rollout remotely. The only action required from users was one restart per device, which they could perform at a convenient time.
The result was a successful deployment across every targeted Windows 11 endpoint, with 100% post-deployment verification and no remote support sessions.
The Challenge: Preparing for the Secure Boot Certificate Rollover
Microsoft’s original Secure Boot certificates, including Microsoft UEFI CA 2011 and Microsoft Windows Production PCA 2011, are approaching the end of their validity periods.
The new Secure Boot certificate infrastructure stores the Windows UEFI CA 2023 certificate in the Secure Boot allowed signature database, or DB, where it helps devices trust newer Windows boot components.
Our client operates under a controlled patch management process, meaning Windows updates are reviewed and deployed centrally rather than being installed automatically.
To complete the Windows 11 Secure Boot certificate update, we needed a reliable way to:
- Confirm that Secure Boot was enabled on every endpoint.
- Assess the existing Secure Boot certificate database.
- Identify devices requiring the Windows UEFI CA 2023 certificate.
- Deploy the relevant Windows security update in a controlled manner.
- Minimize disruption to employees.
- Verify successful remediation after deployment.
The environment consisted of approximately 12 Windows 11 endpoints from multiple hardware vendors, with Lenovo devices representing most of the fleet.
Our Secure Boot Certificate Update Solution
We created a five-step workflow combining ScaleFusion endpoint management, centralized patch deployment, PowerShell automation, and post-deployment verification.
Step 1: Validate the Secure Boot Configuration
Before we began the Secure Boot certificate rollover, we verified that every managed Windows 11 endpoint had Secure Boot enabled.
Using ScaleFusion, our Mobile Device Management platform, we remotely collected device configuration information and verified the Secure Boot status of each endpoint.
We completed this step without involving employees or scheduling remote support sessions.
This initial validation ensured that every targeted device met the prerequisites for the Windows 11 Secure Boot certificate update before deployment began.
Step 2: Assess the Existing Secure Boot Certificates
The next step was to inspect the Secure Boot certificate database on every device.
Using ScaleFusion’s remote scripting capabilities, we executed the following PowerShell script:
$var = Get-SecureBootUEFI -Name db
[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Documents\db.bin", $var.Bytes)The script retrieved and exported the Secure Boot DB, also known as the allowed signature database, directly from the device firmware.
We then analyzed each exported database to determine whether the endpoint already contained the Windows UEFI CA 2023 certificate or was still relying on legacy Microsoft 2011 certificates.
This assessment gave us a clear inventory of the devices that required remediation and helped us avoid unnecessary changes to endpoints already prepared for the Secure Boot certificate rollover.
Step 3: Deploy the Windows 11 Security Update
Once the assessment was complete, we approved and deployed KB5083769 through ScaleFusion as part of the managed Windows 11 update process.
KB5083769 is an April 2026 cumulative security update for supported Windows 11 versions. In our managed environment, deploying the update supported the transition to the newer Secure Boot certificate infrastructure.
Because we already managed Windows patches centrally through ScaleFusion, we delivered the Windows 11 Secure Boot certificate update without disrupting users.
The update:
- Downloaded automatically.
- Installed silently in the background.
- Required no one-to-one remote support sessions.
- Required no manual installation by employees.
- Was deployed only to the intended Windows 11 endpoints.
- Remained under the control of the IT patch management process.
This approach allowed us to maintain control over the deployment while ensuring that every affected device received the required Windows security update.
Step 4: Provide a User-Friendly Restart Process
Users only needed to restart each device once to complete the Secure Boot update process.
Rather than forcing an immediate restart during working hours, employees could restart their computers when it was convenient for them. This simple approach reduced the risk of interrupting meetings, active work, or important business processes.
From the user’s perspective, the experience was straightforward: the update installed silently, and they restarted their computer at a suitable time.
Step 5: Verify the Windows UEFI CA 2023 Certificate
Deployment alone was not enough. We also needed to verify that every endpoint had successfully applied the Windows 11 Secure Boot certificate update.
After each device restarted, we reran the Secure Boot PowerShell export through ScaleFusion.
Therefore, we analyzed the exported Secure Boot databases again to confirm that every device contained the Windows UEFI CA 2023 certificate.
The Windows UEFI CA 2023 certificate is valid until June 13, 2035, helping prepare supported Windows devices for future bootloaders and signed boot components.
Our post-deployment verification confirmed that we had successfully remediated all targeted endpoints.
No individual remote support sessions or hands-on endpoint interventions were required.
Results
We successfully completed the Windows 11 Secure Boot certificate update across the entire managed environment.
The project achieved:
- Approximately 12 Windows 11 endpoints updated.
- A mixed hardware environment successfully covered.
- 100% deployment success.
- 100% post-deployment verification.
- Zero remote support sessions.
- Zero manual installations by employees.
- Zero hands-on IT intervention on individual endpoints.
- No disruption to user productivity.
- Only one user-initiated restart required per device.
Every targeted endpoint was confirmed to contain the Windows UEFI CA 2023 certificate following the deployment.
Business Impact
Security updates are often viewed as disruptive projects that require extensive user coordination and IT involvement.
By leveraging our managed endpoint platform together with targeted PowerShell automation, we transformed this update into a fully automated workflow.
Instead of scheduling support calls, coordinating remote sessions, or walking users through update procedures, we were able to:
- Validate device readiness.
- Identify affected systems.
- Deploy Microsoft’s Secure Boot update.
- Verify successful remediation.
All of this was completed remotely, with no direct end-user interaction.
For our client, the experience was simple: the update installed silently in the background, users restarted their devices when it suited them, and we confirmed that every endpoint was fully protected with the latest Secure Boot certificates.
This project highlights the value of proactive endpoint management and demonstrates how modern MDM platforms can reduce operational overhead while improving security and maintaining business continuity.
