Secure Boot Certificate User Guide

New
  • Published on Apr 22, 2026
  • 7 minute(s) read
Prev Next

Overview

This DEX pack adds a Secure Boot Certificate DEX Pack dashboard to your SysTrack environment. The dashboard displays every Windows device in your fleet and its current state in the certificate update process.

The pack includes two components:

  • Daily status check - runs automatically on every device to collect certificate status data and populate the dashboard. No action needed.

  • Remediation command - backs up BitLocker keys and triggers the Microsoft certificate update. Does not run automatically - must be triggered by an administrator, either on-demand or via an optional schedule you configure.

How This Feature Helps You

Microsoft Secure Boot certificates issued in 2011 are set to expire in 2026. All Windows devices that use UEFI Secure Boot require updated certificates; without them, devices may fail to boot or may lose trust for drivers and firmware updates. The roadmap for the expiration is as follows:

Date

What Happens

June 24, 2026

KEK CA 2011 expires - new certificate enrollment stops working

June 27, 2026

UEFI CA 2011 expires - third-party drivers and firmware lose trust

October 19, 2026

Windows PCA 2011 expires - Windows boot loader trust expires

The Secure Boot Certificate DEX pack collects daily status from each client, tracks a 7-step remediation checklist, and can automatically trigger the certificate update on devices that have safely backed up their BitLocker recovery keys.

Operational Scope and Safety

This pack does NOT perform any custom certificate operations. Specifically, it does not:

  • Copy, write, or modify certificates

  • Write to UEFI firmware

  • Modify the boot configuration

  • Force device reboots

Instead, the pack only invokes standard Microsoft‑provided mechanisms that an administrator could run manually.

Microsoft‑Provided Actions Used

The pack performs the following actions:

  • BitLocker key backup using built‑in Windows APIs (equivalent to Group Policy-based or manual administrative backup)

  • Setting the AvailableUpdates registry value, the same value used by Windows Update

  • Starting Microsoft’s Secure‑Boot‑Update scheduled task, which is the same task triggered by Windows Update

All remaining steps - including certificate staging, firmware commit, and boot manager updates - are handled entirely by Microsoft Windows and the device firmware.

This implementation follows Microsoft’s official deployment guidance as documented in KB5025885.

How to Use the Dashboard

Open the Dashboard

Navigate to Secure Boot Certificate DEX Pack in the dashboard list. You will see all Windows devices with their current status.

Understand the Status Column

Each device shows its current position in the 7-step update process:

Status

What It Means

What To Do

Pending Inventory - No Data

Device hasn't reported yet

Wait for the next daily collection cycle (up to 24h)

Not Applicable - Legacy BIOS

Device doesn't use UEFI Secure Boot

Nothing - device not affected by the cert expiry

Step 1/8 - BitLocker keys need backup

BitLocker keys not yet backed up

Run the remediation command - it will back up keys automatically

Step 2/8 - Update needs to be triggered

Keys are backed up, ready for cert update

Run the remediation command to trigger the update

Step 3/8 - Waiting for task confirmation

Update triggered, waiting for the task to complete

Wait - Microsoft's Secure-Boot-Update task runs automatically every 12 hours

Step 4/8 - Certs staged to UEFI

New certificates are staged, but not yet applied

Device needs a reboot to apply the certificates

Step 5/8 - Reboot needed to apply certs

Certificates need firmware commit

Schedule a reboot during the next maintenance window

Step 6/8 - Reboot needed for boot manager

Boot manager needs to switch to 2023 chain

Schedule a reboot (often completes in the same reboot as step 5)

Step 7/8 - Waiting for confirmation

Almost done, waiting for final verification

Wait - completes automatically after the reboot

Step 8/8 - Complete

All certificates updated, device is protected

Nothing - no further actions needed for this device

Use the Stage Filter

The Stage not completed drop-down list lets you focus on devices that need attention. For example:

  • Select Step 1 - BitLocker keys need backup to see all devices that haven't backed up their keys yet.

  • Select Step 5 - Reboot needed to see all devices waiting for a reboot.

  • Select No Filter to see all devices including those that are already complete.

Check Certificate Expiry

The color-coded columns show how urgent each device is:

  • Days to MS Cert Expiry - red means the Microsoft certificate is close to expiring or already expired.

  • Days to OEM Cert Expiry - red means a vendor certificate (Dell, HP, Lenovo, etc.) is expired. OEM certs can only be updated via a BIOS update from the manufacturer.

View device Details

Click any device name to see a detailed breakdown: timestamps for each completed step, which steps were performed by SysTrack vs. externally, and any error messages.

Recommended Workflow

Follow these steps to get your entire fleet updated before the June 2026 deadline:

  1. Wait 24 hours after deployment for the first collection cycle to complete. The dashboard will populate with status data from all devices.

  2. Review the dashboard. Use "No Filter" to get a fleet-wide overview. Check how many devices are at each step.

  3. Run remediation on devices at step 1-2. You have two options:    

    1. On-demand: Go to Prevent > Tools, select the SecureBoot Needs Remediation group from the dropdown, then click Take Action. In the dialog, select Automations, then navigate to Security > SecureBoot Remediation. Set Run Mode to Run Silently and click Run. This targets all devices in the group in one click.

    2. Scheduled (optional): See Optional: Automated Remediation Schedule below.

        The remediation command backs up BitLocker keys (step 1) and triggers the Microsoft certificate update (steps 2-3). This is safe - the script refuses to trigger the update until all BitLocker keys are confirmed as backed up. As devices complete the process, they drop out of the group automatically.  

  4. Wait for steps 3-4 to complete automatically. The Microsoft scheduled task processes the certificate update within 12  hours. The daily status check will pick up the progress.

  5. Schedule reboots for devices at step 4-6. After the certificates are staged, at least one reboot is needed for the firmware to apply them. Coordinate reboots during your normal maintenance windows. The pack does not force reboots.

  6. Monitor until all devices reach step 8. Use the stage filter to find stragglers. Devices that stay stuck may have firmware issues - check the Update Error column.

  7. Handle OEM cert warnings separately. Red values in the Days to OEM Cert Expiry column mean a vendor certificate (e.g.  Dell KEK) is expired. This requires a BIOS update from the device manufacturer - SysTrack cannot fix OEM certs. If the OEM has shipped a replacement cert via BIOS update, the expired cert is automatically skipped and the column shows the replacement's expiry instead.

Why does the pack back up BitLocker keys first?

Under normal circumstances, the certificate update and reboot complete without any BitLocker issues. However, if something goes wrong during the reboot (e.g. firmware error, unexpected power loss, or hardware-specific edge cases), BitLocker may prompt for a recovery key. The pack backs up all keys to Azure AD or Active Directory as a precaution before triggering the update, so recovery keys are always available if needed.

Computer Group: SecureBoot Needs Remediation

The DEX pack includes a dynamic computer group that automatically contains all devices at step 1 or step 2 - the devices where the remediation command can take action. As devices progress past step 2, they drop out of the group automatically.

The group is typically imported as part of the DEX pack. If you need to create it manually:

  1. Go to Configure > Groups.

  2. Click + to add a new group.

  3. Name: SecureBoot Needs Remediation.

  4. Type: Dynamic.

  5. Enter this SQL:     

    SELECT T.WGUID
FROM RPT_VUSecureBootCert T
WHERE T.NEXTSTEP = 1
   OR T.NEXTSTEP = 2

  6. Save the group.

Use this group in Prevent > Tools to run on-demand remediation, or link it to a Tool Schedule for automated remediation.

Optional: Automated Remediation Schedule

Instead of running remediation manually each time, you can set up a Tool Schedule that automatically remediates devices when they log on. This is optional - the on-demand approach via Prevent > Tools works fine for smaller fleets.

To set up the schedule, add a new Tool Schedule entry to the existing SecureBootCert role with these settings:

Tool Type

Automation

When sensor is triggered

Logon Complete

Perform Automation

SecureBoot Remediation

Run Mode

Run Silently

Run On

Active

Minimum Interval

10 minutes

Execute Once

No

Only run tool on group of systems

SecureBoot Needs Remediation (checked)

This runs the remediation after each user logon, but only on devices in the SecureBoot Needs Remediation group (step 1 or 2). As devices complete the process, they drop out of the group automatically and stop receiving the automation. The remediation is safe to run repeatedly - it checks the current state and only acts when needed.

What SysTrack Does vs. What Microsoft Does

Steps 1-3 (SysTrack)

Steps 4-7 (Microsoft / Firmware)

  • Backs up BitLocker recovery keys

  • Sets the AvailableUpdates registry value (same as Windows Update)

  • Starts Microsoft's own Secure-Boot-Update scheduled task

  • Writes 2023 certificates to UEFI store

  • Commits certificates to firmware on reboot

  • Switches boot manager to 2023-signed version

  • Verifies completion

Troubleshooting

Situation

Cause

Action

Device stuck at step 1

BitLocker key backup failed (no AAD/AD connectivity?)

Check network connectivity, AAD join status, or AD computer object

Device stuck at step 2-3

Secure-Boot-Update task not found or disabled

Verify the device has a recent Windows cumulative update installed

Device stuck at step 4-6

Waiting for reboot

Schedule a reboot - the update cannot proceed without one

Update Error column shows a message

Firmware issue - often VMware VMs or old hardware

Check the error text. Event 1803 = missing OEM PK-signed KEK (unfixable by script). Event 1795 = firmware error (OEM BIOS update needed)

OEM cert expired (red), no successor

Device hasn't received a BIOS update with new OEM certs

Deploy a BIOS update from the device manufacturer (Dell, HP, Lenovo)

Not Applicable - Legacy BIOS

Device uses legacy BIOS, not UEFI

Nothing - not affected by Secure Boot certificate expiry

References

Related articles

© 2017 - 2026 Lakeside Software, LLC. All Rights Reserved

X (formerly Twitter) icon YouTube icon LinkedIn icon