
Verify if a device belongs to the HighConfidenceBucket for installing Secure Boot CA2023
Microsoft installs the BucketConfidenceData cab file, which contains the Secure Boot High Confidence Database for all devices, onto Windows consumer and enterprise devices (Windows 11 version 24H2 or later) through cumulative updates. The file is installed on devices where Microsoft is rolling out features and updates grouped by behavioral attributes (BucketID).The system places the file at %SystemRoot%\System32\SecureBootUpdates\ so that Windows can evaluate Secure Boot certificate update readiness.
It consists of per-vendor JSON files containing SHA256 hashed device attributes grouped into distinct confidence classifications. If your specific device bucket (identified by your BucketID) has a successful track record, the device is marked as "High Confidence" and receives necessary certificate updates automatically during monthly security patches.
This script, Get-SecureBootHighConfidenceDatabase.ps1, for which you need Powershell v. 7.0 or higher, determines the Secure Boot certificate update confidence level of your device based on the local copy of the High Confidence database provided by Microsoft:
https://gist.github.com/SMSAgentSoftware/a97f002333bd6521222381c2be7ea4e2
Here a bit more on this: https://smsagent.blog/2026/03/13/viewing-the-secure-boot-high-confidence-database-with-powershell/