top of page
Search

(205) Microsoft Intune - Preparing Intune Devices for Secure Boot Certificate Updates 2026

  • Writer: Mr B SOE way
    Mr B SOE way
  • Apr 7
  • 3 min read

Updated: Apr 16

Microsoft is retiring the original Secure Boot certificates introduced in 2011; they expire throughout 2026. Every Windows device that uses Secure Boot depends on these certificates, so IT must prepare managed fleets in advance. Secure Boot checks that boot components are signed and trusted before the OS starts; that trust is based on certificates in the device’s UEFI firmware. When the 2011 certificates expire, devices that have not transitioned to the new 2023 certificate chain may stop validating newer Secure Boot components, miss security updates, or in some cases fail to boot.


If devices do not receive the new Secure Boot certificates before the 2026 expiration, you can run into:


  • Blocked security updates: After the expiration window (e.g. from June 2026), devices may be unable to install Secure Boot–related updates, leaving boot components exposed.

  • Third-party trust: Software and drivers signed with the 2023 chain will not be trusted on devices that still only have the old certificates.

  • Windows Boot Manager: After October 2026, fixes for Windows Boot Manager may not apply to devices that have not transitioned.

  • Future compatibility: New Windows versions and security features may assume the new chain; devices on the old chain can hit compatibility or boot issues.


Make sure to apply this to a pilot group before deploying it to the rest of the fleet:

Navigate to https://intune.microsoft.com/ > Create > New Policy > Settings Catalog > Add Settings, and search for Secure Boot.

  • Configure High Confidence Opt Out = Disabled

    • Use opt-out only for specific exception devices that have been validated; do not enable it broadly or those devices will not get the required update.

  • Configure Microsoft Update Managed Opt In = Enabled

  • Enable Secureboot Certificate Updates = (Enabled) Initiates the deployment of new secure boot certificates and related updates.














Deploying Allow Telemetry Policy

To ensure you do not see the Alert Type: Device Diagnostic Data Not Received when checking firmware updates in Reports for drivers. Ensure to read below to deploy the 'Allow Telemetry' to all Devices.


Navigate to https://intune.microsoft.com/ > Create > New Policy > Settings Catalog > Add Settings, and search for Telemetry.

  • Allow device name to be sent in Windows diagnostic data = Allowed


  • Allow Telemetry = Full


  • Configure Telemetry Opt In Settings Ux = Disable Telemetry opt-in Settings


How to view Secure Boot Reports

Navigate to https://intune.microsoft.com/ > Reports > Under Windows Autopatch > Windows quality updates > Reports > Secure Boot Status.

 


For devices where Secure Boot Enabled is set to 'No'


You can find both the detect and remediate scripts in Github repo.


When deployed, you will get these results:

To expand on what the 'Errors' mean, then select Columns and choose 'Pre-remediation detection output' and 'Post-remediation detection output'.


As for the devices that secure boot enabled = No, the 'pre-remediation detection output' is set to set Secure Boot enabled.


Once Secure Boot has been enabled via the BIOS, you will get this message


Devices not managed by Intune

For devices not managed by Intune or fallback when policy is not applied, you can set the opt-in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot and create the value MicrosoftUpdateManagedOptIn DWord is set to 1


$Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\"

$Name = "MicrosoftUpdateManagedOptIn"

$Value = 1

if (!(Test-Path $Path)) { New-Item -Path $Path -Force | Out-Null }

Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type DWORD


After this value is set, the device is eligible to receive the certificate update during normal Windows Update cycles; Microsoft controls the exact timing.


To monitor certificate update status, you can use remediation scripts to see which devices have received the new certificate.


try {
    $db = Get-SecureBootUEFI -Name db
    $dbString = [System.Text.Encoding]::ASCII.GetString($db.Bytes)
    if ($dbString -match 'Windows UEFI CA 2023') {
        Write-Output "Compliant: Windows UEFI CA 2023 present."
        exit 0
    } else {
        Write-Output "Non-Compliant: Windows UEFI CA 2023 not found."
        exit 1
    }
} catch {
    Write-Output "Error: Unable to read Secure Boot UEFI database."
    exit 1
}

For visibility, check registry under HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing: UEFICA2023Status (e.g. “Updated” when done), WindowsUEFICA2023Capable (2 = capable, 1 = not yet, 0 = not capable), and UEFICA2023Error (0 or null = no error). If the certificate is present in the UEFI db, the device is compliant. If Status is “Updated” and Capable is 2 but the cert is not yet in the db, the update may be pending a reboot. If Status is empty and Capable is 2, the device is opted in and waiting for the update. If Capable is 1 or 0, the device may need a firmware update or may not support the new chain. If Error is non-zero, investigate manually. Use these checks in a Proactive Remediation detection script or a custom report to track rollout.


I would also recommend implementing this remediation script to remediate the fixes for secure boot, it will display the changes needed:


 
 
 

Comments

bottom of page