###############################################################################################################

# It is recommended to test this data collection script on a few machines to ensure it meets your requirements.
# ManageEngine is not be responsible for any damage/loss to the data/setup based on the behavior of the script.

###############################################################################################################

$SecureBootRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot"
$AvailableUpdatesName = "AvailableUpdates"

function Trigger-SecureBootUpdate {
    try {
        $currentUpdates = 0
        $prop = Get-ItemProperty -Path $SecureBootRegPath -Name $AvailableUpdatesName -ErrorAction SilentlyContinue
        if ($prop) { 
            $currentUpdates = $prop.$AvailableUpdatesName 
        }
        if ($currentUpdates -ne 0) {
            try {
                Set-ItemProperty -Path $SecureBootRegPath -Name $AvailableUpdatesName -Value 0 -Type DWord -Force
            }
            catch {
                Write-Host "Failed to clear AvailableUpdates: $($_.Exception.Message)"
            }
        }
        # Trigger Secure Boot update
        try {
            Set-ItemProperty -Path $SecureBootRegPath -Name $AvailableUpdatesName -Value 0x5944 -Type DWord -Force
            Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
        }
        catch {
            Write-Host "Failed to trigger Secure Boot update: $($_.Exception.Message)"
        }
    }
    catch {
        Write-Host "Unexpected error in Trigger-SecureBootUpdate: $($_.Exception.Message)"
    }
}

Trigger-SecureBootUpdate