--- title: "Secure Boot Certificate Installation Instructions" slug: "secure-boot-certificate-installation-instructions" status: "update" updated: 2026-05-26T11:27:05Z published: 2026-05-26T11:27:05Z --- > ## Documentation Index > Fetch the complete documentation index at: https://documentation.lakesidesoftware.com/llms.txt > Use this file to discover all available pages before exploring further. # Secure Boot Certificate Installation Instructions ## Minimum Version This DEX Pack requires SysTrack version 11.4 or higher. ## Notes - After this DEX Pack is installed, it may take up to 24 hours for data to appear. - If you update or reinstall this DEX Pack, you must reassign any Views created below to the SF_SecureBootCert Role. ## Import Kit To use this DEX Pack, the corresponding Kit must be imported to SysTrack. If you have already imported the DEX Pack directly from the Kits page, the Import Kit step is complete. You may move on to the next step. If you are viewing this DEX Pack in the Customer Gateway, follow these steps to import this DEX Pack Kit: 1. On the DEX Pack page, download the DEX Pack ZIP file. 2. In SysTrack, open **Kits**. 3. Under Local, click **Select Kit File**. 4. Select the DEX Pack ZIP File. ## Enable Action 1. Verify you have unlocked the tenant next to your username. 2. In **Configure**, click **Collection Extensions** on the left. 3. Select **Action Governance**. 4. Find the **SecureBootCert** action in the list and check approved and enabled on the far right for all. 5. Click **Save Changes** at the top right. ## SecureBootCert View The Secure Boot Certificate Dashboard requires you to make a View for the SF_SecureBootCert Role. 1. Go to **Configure** > **Views,** 2. Click the padlock in the upper-right to edit. 3. Click the plus to add a new View. 4. Enter the following **Settings**: 1. **View Name**: SecureBootCert 2. **Expires in**: Never 3. **Existing Category**: Custom 4. **When Expired**: Overwrite Data 5. Do not check **when overdue by 1 day(s)** 6. Set the **Refresh** drop-downs to **Daily**, **Inside** **24x7**, and **Every Day** 5. Copy this [SQL query](/documentation/docs/secure-boot-certificate-installation-instructions#securebootcert-sql-query), and paste it under **SQL Selection > Generic** 6. Click **Test SQL**. A Test Success message should appear. If the test fails, the query may have been copied incorrectly. 7. Click **Create View** at the top-right. ### To assign the new View: 1. Navigate to **Configure**> **Roles.** 2. Use the drop-down at the top to select the **SF_SecureBootCert** Role. 3. Click **Views**, then check the box next to **SecureBootCert**. 4. Click **Save Changes**at the top-right. #### SecureBootCert SQL Query ```sql SELECT    T0.WGUID,    T0.NextStep AS [NextStep],    T0.Step1_BitLockerKeysBackedUp AS [Step1_BitLockerKeysBackedUp],    T0.Step2_SecureBootUpdateTriggered AS [Step2_SecureBootUpdateTriggered],    T0.Step3_SecureBootTaskRan AS [Step3_SecureBootTaskRan],    T0.Step4_NewCertsStaged AS [Step4_NewCertsStaged],    T0.Step5_Reboot1_ToApplyCerts AS [Step5_Reboot1_ToApplyCerts],    T0.Step6_Reboot2_ToUpdateBootMgr AS [Step6_Reboot2_ToUpdateBootMgr],    T0.Step7_SecureBootComplete AS [Step7_SecureBootComplete],    T0.Step1_ViaSysTrack AS [Step1_ViaSysTrack],    T0.Step2_ViaSysTrack AS [Step2_ViaSysTrack],    T0.Step3_ViaSysTrack AS [Step3_ViaSysTrack],    T0.SoonestMsCertExpiryDate AS [SoonestMsCertExpiryDate],    T1.STRVALUE AS [SoonestMsCertExpiryName],    T0.SoonestOemCertExpiryDate AS [SoonestOemCertExpiryDate],    T2.STRVALUE AS [SoonestOemCertExpiryName],    T3.STRVALUE AS [UpdateError] FROM DYNI_SecureBootCertCheck AS T0 LEFT JOIN SASTR_DYN T1 ON T1.STRINGID = T0.SoonestMsCertExpiryName LEFT JOIN SASTR_DYN T2 ON T2.STRINGID = T0.SoonestOemCertExpiryName LEFT JOIN SASTR_DYN T3 ON T3.STRINGID = T0.UpdateError ``` ## SF_SecureBootCert Role The Secure Boot Certificate DEX Pack requires you to assign the SF_SecureBootCert Role to the relevant Configurations: 1. Navigate to **Configure**> **Configurations.** 2. Click the padlock icon in the upper-right to enable editing. 3. Use the drop-down at the top to select a relevant Configuration, or create a new Configuration. 4. Assign the **SF_SecureBootCert** Role to the Configuration by dragging it from Available Roles to Assigned Roles. 5. Click **Save Changes** at the top-right. 6. Repeat this process for any other relevant Configurations. ## SecureBoot Needs Remediation Group Create a dynamic computer group that automatically includes all devices that need remediation: 1. Go to **Configure***>***Groups.** 2. Click **+** to add a new group. 3. In **Group Name**, enter **SecureBoot Needs Remediation.** 4. In **Group Type**, select **Dynamic.** 5. Clear both **Group is enabled for Visualizer and Executive Insight** and **Group is enabled for real-time data** options. 6. Enter the following SQL: ```sql SELECT T.WGUID FROM RPT_VUSecureBootCert T WHERE T.NEXTSTEP BETWEEN 2 AND 7   OR (T.NEXTSTEP = 0 AND ISNULL(T.SOONESTMSCERTEXPIRYNAME, '') NOT LIKE '%2023%')   OR (T.NEXTSTEP = 0 AND ISNULL(T.UPDATEERROR, '') <> '') ``` 7. Click **Create**. Use this group as a table filter, in **Prevent > Tools** for on-demand remediation, or in a Tool Schedule for automated remediation.