Remediation SecureBoot 2026 Compliance

Summary

This script automates the remediation of UEFI Secure Boot certificates required for Windows 2026 compliance. It ensures the system has the latest 2023 UEFI certificates (KEK and db) and configures the system for automatic Microsoft-managed UEFI certificate updates.

Mandatory

Once the Agent procedure for Remediation SecureBoot 2026 Compliance updates the certificates, the machine must be rebooted twice. Rebooting the system is mandatory for the Secure Boot 2026 certificates to update successfully. Without rebooting the machine, the certificates will not be applied.

After the system reboots, the check agent procedure SecureBoot 2026 Compliance Check must run again to verify that the certificates were updated successfully. Run the SecureBoot 2026 Compliance Check script after reboot to check the compliance status.

Dependencies

PowerShell 5.0+
Agnostic Script - Remediate-SecureBootCompliance2026
Solution - Secureboot Remediation and Audit Solution

Implementation

Export the agent procedure from ProVal's VSA RMM instance.
Name: Remediation SecureBoot 2026 Compliance
Import this XML file into the partner's VSA RMM instance.

Execution Process

To Execute the agent procedure in the partner's VSA RMM, follow these steps:

Select the machine you want to run the Remediation SecureBoot 2026 Compliance agent procedure from the VSA RMM.
Click on the Execute button and click Submit:

Output

Agent Procedure Log

Changelog

2026-04-13

Initial version of the document

Summary​

Mandatory​

Dependencies​

Implementation​

Execution Process​

Output​

Changelog​

2026-04-13​