When Microsoft announced its Secure Boot 2026 certificate update, it sounded straightforward enough: update the firmware, install the latest patches, and move on.

In reality, a lot of businesses are finding the process to be much more involved than they expected.

A successful Secure Boot transition needs multiple layers of validation, staged remediation, and careful coordination between firmware, Windows security updates, BitLocker, and certificate verification. Miss a step, and businesses could be left with non-compliant devices, or worse, widespread BitLocker recovery lockouts.

Rather than treating it like another routine update, we saw an opportunity to build something smarter.

Here is how we used AI and automation to make the Secure Boot transition so much easier.

The Challenge

One of the biggest misconceptions about the Secure Boot 2026 transition is that it’s simply a BIOS update.

It really isn’t.

• Every device has to be evaluated individually

• Some systems need BitLocker suspended before any changes can be made

• Others require Secure Boot to be enabled, a BIOS or firmware update, specific Microsoft security updates, or verification that the new 2023 certificate was actually deployed.

Once everything is complete, BitLocker protection needs to be restored.

To make things even more complicated, not every device follows the same path. Different manufacturers, hardware generations, and Windows update levels all influence what needs to happen next. A device that’s current on its BIOS, for example, may still need Microsoft security updates. Another might need firmware updates before it can receive the new certificates.

In other words, it’s a staged process that requires the right actions, in the right order, on every single machine.

It’s complex and tedious.

Why We Took a Different Approach

As we mapped out the remediation process, it became clear that this wasn’t something we wanted to manage with spreadsheets, manual tracking, or one-size-fits-all deployments.

Every endpoint had to be evaluated individually, and every remediation step had to happen in the right order.

Our goal was to build a process that could safely scale across hundreds (or even thousands) of devices while giving our engineers complete visibility into where every machine stood.

Our Solution

Instead of treating every device the same, we built a staged remediation program that evaluates what each machine actually needs before taking action.

Using Datto RMM, remediation jobs are deployed only where they’re required. BitLocker is safely suspended before changes are made, required firmware and Microsoft’s security updates are applied where needed, and BitLocker protection is restored once the transition is complete.

Behind the scenes, every device is classified based on its current status. Rather than a simple “Pass” or “Fail”, our system identifies exactly which stage each machine is in. Whether it needs BitLocker preparation, Secure Boot enabled, a BIOS update, Microsoft security updates, certificate verification, or escalation.

Datto handles the execution while our custom portal brings everything together into a single fleet view. That gives our team a clear picture of overall progress, what’s been completed, and what still needs attention.

How AI Helped

The Secure Boot 2026 transition doesn’t come with a single playbook.

Microsoft, Dell, and Lenovo each have their own guidance, update requirements, verification steps, and remediation paths. Bringing all of that together into one repeatable process would have taken significant time if done manually.

We used AI to help consolidate those playbooks into a single staged workflow. This made it much easier to determine which devices needed firmware updates, Microsoft security updates, or both.

AI also accelerated the development of the automation scripts by helping build logic to evaluate device state, automate remediation, and incorporate guardrails for common failure scenarios like pending reboots, locked files, and blocked installers.

AI also helped us build the reporting dashboard that gives our team visibility into every stage of the remediation process. Instead of seeing a single “non-compliant” status, we can quickly identify whether a device is waiting on Windows updates, certificate verification, firmware, or another remediation step. This makes it much easier to prioritize the next action.

The Results

By combining AI, automation, and custom reporting, we turned a complex, multi-step remediation process into a structured program that’s easier to manage at scale.

Our engineers can quickly identify which devices need firmware updates, Microsoft security updates, certificate verification, or additional attention, all from a single dashboard.

Datto handles execution, while our custom portal provides visibility into every stage of the transition.

The result is a proactive, repeatable process that helps organizations prepare for the Secure Boot June 2026 deadline with less manual effort and minimal disruption to end users.

Complex IT projects don’t have to become operational headaches.

Whether you’re preparing for a major security initiative, automating repetitive processes, or building custom solutions with AI, our team can help you get there faster. Contact us for your complimentary IT assessment to get started.