(205) Microsoft Intune - Preparing Intune Devices for Secure Boot Certificate Updates 2026
- Mr B SOE way
- 23 hours ago
- 3 min read
Microsoft is retiring the original Secure Boot certificates introduced in 2011; they expire throughout 2026. Every Windows device that uses Secure Boot depends on these certificates, so IT must prepare managed fleets in advance. Secure Boot checks that boot components are signed and trusted before the OS starts; that trust is based on certificates in the device’s UEFI firmware. When the 2011 certificates expire, devices that have not transitioned to the new 2023 certificate chain may stop validating newer Secure Boot components, miss security updates, or in some cases fail to boot.
If devices do not receive the new Secure Boot certificates before the 2026 expiration, you can run into:
Blocked security updates: After the expiration window (e.g. from June 2026), devices may be unable to install Secure Boot–related updates, leaving boot components exposed.
Third-party trust: Software and drivers signed with the 2023 chain will not be trusted on devices that still only have the old certificates.
Windows Boot Manager: After October 2026, fixes for Windows Boot Manager may not apply to devices that have not transitioned.
Future compatibility: New Windows versions and security features may assume the new chain; devices on the old chain can hit compatibility or boot issues.
Make sure to apply this to a pilot group before deploying it to the rest of the fleet:
Navigate to https://intune.microsoft.com/ > Create > New Policy > Settings Catalog > Add Settings, and search for Secure Boot.
Configure High Confidence Opt Out = Disabled
Use opt-out only for specific exception devices that have been validated; do not enable it broadly or those devices will not get the required update.
Configure Microsoft Update Managed Opt In = Enabled
Enable Secureboot Certificate Updates = (Enabled) Initiates the deployment of new secure boot certificates and related updates.
If devices are not managed in Intune, you can opt-in with this registry with PowerShell:
$Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\"
$Name = "MicrosoftUpdateManagedOptIn"
$Value = 1
if (!(Test-Path $Path)) { New-Item -Path $Path -Force | Out-Null }
Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type DWORD
After this value is set, the device is eligible to receive the certificate update during normal Windows Update cycles; Microsoft controls the exact timing.
To monitor certificate update status, you can use remediation scripts to see which devices have received the new certificate.
try {
$db = Get-SecureBootUEFI -Name db
$dbString = [System.Text.Encoding]::ASCII.GetString($db.Bytes)
if ($dbString -match 'Windows UEFI CA 2023') {
Write-Output "Compliant: Windows UEFI CA 2023 present."
exit 0
} else {
Write-Output "Non-Compliant: Windows UEFI CA 2023 not found."
exit 1
}
} catch {
Write-Output "Error: Unable to read Secure Boot UEFI database."
exit 1
}For visibility, check registry under HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing: UEFICA2023Status (e.g. “Updated” when done), WindowsUEFICA2023Capable (2 = capable, 1 = not yet, 0 = not capable), and UEFICA2023Error (0 or null = no error). If the certificate is present in the UEFI db, the device is compliant. If Status is “Updated” and Capable is 2 but the cert is not yet in the db, the update may be pending a reboot. If Status is empty and Capable is 2, the device is opted in and waiting for the update. If Capable is 1 or 0, the device may need a firmware update or may not support the new chain. If Error is non-zero, investigate manually. Use these checks in a Proactive Remediation detection script or a custom report to track rollout.
Comments