Enable Secure Boot Certificate Deployment
Supported on: At least Windows Server 2012, Windows 8 or Windows RT
Registry
SYSTEM\CurrentControlSet\Control\SecureBoot Value name: AvailableUpdatesPolicy
Enabled: AvailableUpdatesPolicy = 22852
Disabled: AvailableUpdatesPolicy = 0
Description
This policy setting allows you to enable or disable the Secure Boot Certificate Deployment process on devices. When enabled, Windows will automatically begin the certificate deployment process to devices where this policy has been applied. Note: This registry setting is not stored in a policy key, and this is considered a preference. Therefore, if the Group Policy Object that implements this setting is ever removed, this registry setting will remain. Note: The Windows task that runs and processes this setting, runs every 12 hours. In some cases, the updates will be held until the system reboots to safely sequence the updates. Note: Once the certificates are applied to the firmware, you cannot undo them from Windows. If clearing the certificates is necessary, it must be done from the firmware menu interface. For more information, see: https://aka.ms/GetSecureBoot