Short Answer
No. The Secure Boot certificate updates that Microsoft began rolling out for the 2026 certificate expirations are not delivered as discrete patches through Automox patch policies. They are handled by Windows' own Secure Boot servicing process, gated behind a Microsoft opt-in mechanism and applied across reboots, rather than as an installable update that Automox detects and deploys.
This is consistent with how Automox patching works in general: Automox installs the updates that the device's own update source (Windows Update / WSUS) surfaces as installable items. The Secure Boot certificate update is not surfaced that way, so it falls outside the patch-policy model.
Background
Secure Boot certificates originally issued in 2011 begin expiring in June 2026. To maintain early-boot protections, Microsoft is updating devices with 2023 certificates. Microsoft manages this rollout automatically for many devices through Windows Update servicing, and provides separate methods for organizations that manage their own updates.
Per Microsoft, the documented deployment methods are a registry opt-in key, Group Policy, Microsoft Intune, and WinCS APIs. In all cases, the certificate enrollment itself is carried out by the Windows Secure Boot servicing components over one or more reboots, with progress tracked in status registry values such as UEFICA2023Status.
Where Automox Fits
Automox patch policies still play a supporting role:
- Underlying Windows updates: The monthly cumulative and servicing-stack updates that provide the Secure Boot servicing capability are normal Windows updates. If the device's update source surfaces them, Automox patch policies install them like any other update. Keeping devices current is a prerequisite for the certificate servicing to function.
- What patch policies do not do: A patch policy does not write Secure Boot certificates to UEFI firmware, and there is no catalog item that performs the certificate enrollment.
If you want to drive the rollout itself (for example, setting Microsoft's opt-in registry value or orchestrating the required reboots), that is a scripting task rather than a patching task, and would be handled through a Worklet rather than a patch policy. The certificate enrollment is still performed by Windows, not by Automox.
Recommended Path
Follow Microsoft's guidance for the Secure Boot certificate rollout using the method that fits your environment (Microsoft-managed, registry, Group Policy, or Intune), and use Automox to keep the underlying Windows updates current. See Microsoft's documentation below.