Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playbook, but need more details or have a specific question, join us to get the answers you need to prepare for this milestone. No question is too big or too small. Update scenarios, inventorying your estate, formulating the right deployment plan for your organization -- we're here to help!

On the panel: Arden White; Scott Shell; Richard Powell, Kevin Sullivan

How do I participate?

Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast.

Get started with these helpful resources

Heather_Poulsen
Updated Jan 29, 2026
AMA

327 Comments

Show More
  • knmcelhaney's avatar
    knmcelhaney
    Copper Contributor
    Feb 05, 2026

    Is there something we can reference to determine if Microsoft is pushing the update to a model yet?

  • vuEric's avatar
    vuEric
    Occasional Reader
    Feb 05, 2026

    What, if any, impact will this have on SecureBoot enabled devices running a Linux OS?

  • Eric_HL's avatar
    Eric_HL
    Copper Contributor
    Feb 05, 2026

    Is there a timeline when it will be possible to manage Cert Update Settings via Intune (without running into Error 65000)?

  • TobiA's avatar
    TobiA
    Brass Contributor
    Feb 05, 2026

    Is there a list of device models and firmware versions, that should already get the update through LCU?

     

  • ngocau's avatar
    ngocau
    Occasional Reader
    Feb 05, 2026

    we applied this script from here, and after a reboot, the bios was updated.  is this normal behavior?

    https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d



    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

    Manually reboot the system when the AvailableUpdates becomes 0x4100

    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

  • v-joshnash's avatar
    v-joshnash
    Icon for Microsoft rankMicrosoft
    Feb 05, 2026

    Saw there is a known issue with updating the Secure Boot configuration settings deployed through Microsoft Intune Mobile Device Management (MDM) are currently blocked on Pro editions of Windows 10 and Windows 11.  What do you do if clients are reporting as Professional edition in slmgr, but they are running as Enterprise via subscription.  Currently seeing the 65000 error and Intune is unable to apply the Intune configurations.  Is setting this via remediation script the only option for Intune managed device currently?

     

  • Id_Jamie's avatar
    Id_Jamie
    Copper Contributor
    Feb 05, 2026

    have you got screenshots of all vendor OEM bios's of UEFI settings that need to be enabled you say it should be default now but I have seen devices not having UEFI CA Enabled and failing to update correctly. 

  • Flavius's avatar
    Flavius
    Copper Contributor
    Feb 05, 2026

    Hello,

     

    I have a similar issue:

    After deploying the Enable Secureboot Certificate Updates policy via Intune, the following error shows up: 65000.

    Also, the event IDs 404 and 827 indicate that the policy is rejected due to licensing or Command failure.

     

    Could you please clarify? Thank you.

  • josephcoco's avatar
    josephcoco
    Occasional Reader
    Feb 05, 2026

    Are there specific instructions with how to deploy this remediation using MECM with, maybe, a task sequence? If so, can you please direct them to me?

     

    And as someone else also mentioned, can you also please provide instructions on how to update the boot manager within SCCM for PXE booting? We just recently upgraded our ADK in early August 2025 to 10.0.26100.2454. What else needs to be done or downloaded for SCCM PXE booting?