Updating via Windows updates

You must first install a Windows update with the current keys (from May 2023).

Windows updates do not automatically update the Secure Boot keys in most cases, even if Secure Boot is activated. Microsoft maintains a "HighConfidenceBucket" list in which certain devices from manufacturers are stored (e.g. C6030-0060, 1.0, Beckhoff Automation GmbH & Co. KG, Bxx64 - 1.37, 01/31/2020). Devices on this list receive key updates automatically via Windows updates. Systems are only added to the list if they have successfully performed multiple secure boot key updates. For devices that are not included in the list, you can run the secure boot update task directly to import the secure boot keys into the UEFI firmware:

1. Create "AvailableUpdates" key in the registry:
   reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
2. Control secure boot update task:
   Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
3. Manually reboot the system if "AvailableUpdates" 0x4100
4. Control secure boot update task:
   Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

After installing the updates, you should deactivate the Windows service again if no automated updates are to be carried out in future.