Secure Boot playbook for certificates expiring in 2026

Hi Jason_Sandys​, could you offer some clarity on this fix please? I logged a case with MS Premier Support prior to seeing this page and have been told our only option is to manually deploy registry settings or use Group Policy. When mentioning your comment on the support ticket I received the response below, which has left me confused as it suggests the service side fix will not apply to all endpoints. Thanks

1. Is there a fix, as mentioned in the TechCommunity comment?

Yes — the comment refers to a service‑side improvement that Microsoft has already implemented. This change is being rolled out gradually across devices, and no local action is required on managed devices for that service‑side change.

 

2. Why you are still seeing error 65000

Even with the service‑side improvement in place, devices originally shipped with Windows Pro OEM and later upgraded to Enterprise via subscription activation still perform an OS‑level licensing check.
This results in:

• Intune successfully delivering the Secure Boot policy
• Windows locally rejecting it due to licensing evaluation
• The device reporting error 65000

This rejection happens before the service‑side fix can take effect, which is why some estates see success and others still see the error.

 

3. Is Microsoft planning an additional fix for this licensing-evaluation scenario?

At this time, there is no confirmed additional OS‑level fix or timeline for devices upgraded from Pro → Enterprise via subscription activation.

The service‑side improvement helps many devices, but it does not override the OS‑level licensing gate that blocks Secure Boot configuration on these specific devices.