3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
Microsoft's new Patch Tuesday update adds centralized Secure Boot deployment scripts for even easier management.
Last week Microsoft released its newest Patch Tuesday updates (KB5087544 on Windows 10 and KB5089549 on Windows 11) as well as corresponding Recovery updates. The official Media Creation Tool has also been updated. Word of warning though, the Windows 11 update can have installation problems for which the company has issued workarounds; plus it remains vulnerable to "MiniPlasma," a security flaw we covered earlier today.
On the positive side though, Microsoft quietly made a useful improvement with the new Patch Tuesday update as it added a new Secure Boot folder to the system root directory, typically the C drive. Neowin noticed this change while browsing.
For some reason the company forgot to mention it in the initial release notes but later mended that by adding it in. It wrote: "Added Secure Boot release note: This update adds a new SecureBoot folder under C:\Windows on eligible devices." Hence with this update, Microsoft has compiled all the necessary resources into one place under the "ExampleRolloutScripts" folder. Essentially these scripts allows IT admins and system admins to automate the installations, via GPO (Group Policy Object) deployment, as well as monitor and keep track of the Secure Boot update status in their respective enterprise scenarios. They cover both Phase 1, for detection and status monitoring, and Phase 2, for the updated certificates rollout completion.
Thus the new Secure Boot folder houses the following sample PowerShell scripts:
- Detect-SecureBootCertUpdateStatus.ps1: Collects device status data.
- Aggregate-SecureBootData.ps1: Generates reports and dashboards
- Deploy-GPO-SecureBootCollection.ps1: Automates GPO creation for data collection
- Start-SecureBootRolloutOrchestrator.ps1: Fully automated, continuous orchestration with automated GPO deployment for certificate installation
-
Deploy-OrchestratorTask.ps1: Deploys the orchestrator as a Windows Scheduled Task for automated rollout
-
Get-SecureBootRolloutStatus.ps1: View Secure Boot Certificate Roll out status from any workstation
-
Enable-SecureBootUpdateTask.ps1: Enables Secure Boot Update Task
For anyone who may not be aware, back in early 2024, Microsoft announced that it was updating Secure Boot keys as they were going to become 15 years old in 2026, which is also when they are set to expire. As such, the new 2023 certificates have been rolled out with the newest Windows 11 updates. Updated boot manager and Secure Boot certificates are crucial for protection against malware like bootkits. If you recall Microsoft had clarified that this was the reason for multiple restarts.
If you are a home user and are wondering whether you have the necessary updated certificates Microsoft added a useful marker inside the Windows Security app to help recognize that.
Hope you enjoyed this news post. Feedback welcome.
Posted Tuesday 19 May 2026 at 7:48 am AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700
- jenyco2 and scarabou
-
2
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.