Secure Boot Certificate Migration Using PowerShell Scripts in Windows 11 (KB5089549)
The May 2026 cumulative update KB5089549 introduces C:\Windows\SecureBoot\ExampleRolloutScripts, containing seven Microsoft-provided PowerShell scripts to assist enterprise administrators in migrating Secure Boot certificates at scale. These sample scripts must be reviewed, tested in a pilot environment, and executed in sequence via elevated PowerShell before broad enterprise deployment. Post-migration, certificate state should be validated using Confirm-SecureBootUEFI and event logs monitored for Secure Boot-related errors.
Indicators
- C:\Windows\SecureBoot\ExampleRolloutScripts folder present after installing KB5089549
- Seven new PowerShell (.ps1) scripts visible under the ExampleRolloutScripts directory
- Enterprise requirement to migrate or rotate Secure Boot certificates across managed devices
- Secure Boot certificate management tasks required following Microsoft infrastructure update
Likely causes
- Installation of Windows 11 cumulative update KB5089549 (May 2026) which ships the sample toolkit
- Microsoft initiative to update and rotate Secure Boot certificate infrastructure
- Deprecation or lifecycle expiry of existing Secure Boot certificates requiring migration
- Enterprise requirement to manage Secure Boot certificate changes at scale across heterogeneous device fleet
Diagnostic steps
-
Verify KB5089549 is installed: Get-HotFix -Id KB5089549
-
Confirm the ExampleRolloutScripts folder exists: Test-Path 'C:\Windows\SecureBoot\ExampleRolloutScripts'
-
List all seven PowerShell scripts: Get-ChildItem 'C:\Windows\SecureBoot\ExampleRolloutScripts' -Filter *.ps1
-
Review the content and inline documentation of each script before execution: Get-Content 'C:\Windows\SecureBoot\ExampleRolloutScripts\<ScriptName>.ps1'
-
Check current Secure Boot status on the device: Confirm-SecureBootUEFI — should return True on UEFI systems with Secure Boot enabled
-
Query current Secure Boot UEFI variables if needed for baseline documentation: Get-SecureBootUEFI -Name PK | Select-Object -ExpandProperty bytes
-
Run appropriate scripts with required parameters in an isolated test environment first, using an elevated PowerShell session; do not execute directly in production
-
Review script output and Secure Boot event logs for errors or warnings: Get-WinEvent -LogName 'Microsoft-Windows-Kernel-Boot/Operational' | Where-Object { $_.LevelDisplayName -ne 'Information' }
Resolution path
- Deploy cumulative update KB5089549 to target Windows 11 devices via your patch management tooling
- Confirm the ExampleRolloutScripts folder and all seven .ps1 files are present using Test-Path and Get-ChildItem
- Read and understand the purpose, parameters, and limitations of each script before any execution
- Document current Secure Boot certificate state on representative device models as a baseline (Get-SecureBootUEFI)
- Execute and validate scripts in a controlled pilot group covering key hardware models before enterprise rollout
- Run appropriate scripts in sequence using an elevated PowerShell session on production devices
- Validate Secure Boot certificate state post-migration using Confirm-SecureBootUEFI on a sample of devices
- Monitor Microsoft-Windows-Kernel-Boot/Operational event logs and endpoint management dashboards for Secure Boot anomalies following rollout
- Document the completed migration state and retain rollback artefacts
Prevention
- Maintain a structured patch management process to deploy cumulative updates promptly so Secure Boot tooling arrives with adequate lead time before certificate deadlines
- Document Secure Boot certificate configuration baselines for every hardware model in the environment before initiating migration
- Always test Microsoft-provided sample scripts in an isolated lab environment covering representative hardware before enterprise deployment
- Define and document rollback procedures (including UEFI firmware fallback steps) before executing any Secure Boot certificate changes
- Monitor Microsoft Security Response Center (MSRC) and Windows release health advisories for Secure Boot certificate lifecycle announcements
- Ensure UEFI firmware is current on all enterprise devices prior to migration to avoid certificate compatibility issues
- Scope pilot rings in Intune or SCCM to catch failures on minority hardware configurations before broad deployment
Tools
- PowerShell (elevated)
- Get-HotFix cmdlet
- Confirm-SecureBootUEFI cmdlet
- Get-SecureBootUEFI cmdlet
- Set-SecureBootUEFI cmdlet
- C:\Windows\SecureBoot\ExampleRolloutScripts (7 sample scripts shipped with KB5089549)
- Windows Event Viewer — Microsoft-Windows-Kernel-Boot/Operational log