Event details
54 Comments
What do people do where it's a non-business device, it's got win 11 but not on the boot certificates update list as only some devices have been added to it ?
How are normal users going to be able to do this ?
MS OEM list:
https://support.microsoft.com/en-us/topic/original-equipment-manufacturer-oem-pages-for-secure-boot-9ecc3ba4-fb50-4bd3-9e9b-f16b35b8fb68
Dell info:
hxxps://www.dell.com/support/kbdoc/en-us/000368610/how-to-update-secure-boot-active-database-from-bios
costs and Duration:
Is there a cost associated with the new certificates?
There is no direct cost for receiving the 2023 certificates using Windows Update, and the 2023 CAs are already available for free at [ hxxps://learn.microsoft.com/en-gb/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11]
However, BIOS updates for out-of-service devices may require manual intervention or service engagement, which could incur costs depending on support agreements.
>>
Dell devices supported list: - how do consumers resolve if their equipment is not on the lists for bios updates below, but does have win 11 ?
hxxps://www.dell.com/support/kbdoc/en-us/000347876/microsoft-2011-secure-boot-certificate-expiration#Lat
HP devices supported list:
hxxps://support.hp.com/us-en/document/ish_13070353-13070429-16
Lenovo Supported list: [ from MS List above ]
Don't be afraid of the "minimum BIOS version required" or "compatible hardware" lists you can read on LENOVO, DELL, HP, ... Web Site. (in rare case you need to upgrade your Bios before using MS CA 2023 Process)
BIOS updates from your OEM will provide certificates stored in a dedicated area of the firmware — but the certificates needed to start the Secure Boot chain are actually provided by Microsoft through the process they described. And of course there is absolutely no cost involved.
If you only have a few devices, the simplest path is just to let Windows Update handle it — it will deliver the necessary certificates and boot loader updates automatically.
see my other message ;)- Arden_White
Microsoft
Hi Stuard_Smiles,
For home users, Secure Boot certificate updates are delivered automatically through Windows Update at no cost. OEM BIOS lists are provided for reference when firmware updates are required, but most Windows 11 devices do not need manual action unless the system reports a compatibility issue.
Arden
The Intune-Policy still cannot be used, as I get an error on most of the clients: "Enable Secureboot Certificate Updates - Error 65000".
All of the clients are EntraOnly-Joined Win11 Enterprise 24h2/25h2. Windows is activated with M365 License. Will you fix this policy before June 26?
- Arden_White
Hi SCCM_Terror,
we recently discovered an issue with Windows 11 23H2 Enterprise-Pro where you would still get this error. A fix for this is planned for the April updates. It should be working with Windows 11 24H2 and 25H2.
Sorry for the inconvenience.Arden
Still seeing the 65000 error on Windows 11 25H2. Followed MS doc
https://support.microsoft.com/en-us/topic/microsoft-intune-method-of-secure-boot-for-windows-devices-with-it-managed-updates-1c4cf9a3-8983-40c8-924f-44d9c959889d but issue remains.
Resolution
The Microsoft Intune licensing service was updated on January 27, 2026, to allow Secure Boot configuration settings deployment on Pro editions of Windows 10 and Windows 11. Devices that received their Microsoft Intune license before this date will need to renew their license to resolve this issue. Licenses are automatically renewed every month, so this issue will be resolved for all devices by February 27, 2026. To resolve this issue immediately, you can renew the license on your device by running the following commands on the user's behalf (under the user's context):
- ClipDLS.exe removesubscription
- ClipRenew.exe
- Heather_Poulsen
Community Manager
Thanks for joining today’s session on “Secure Boot certificate updates explained” at Microsoft Technical Takeoff. Q&A will remain open through Friday so keep your comments and questions coming! Up next: Feedback wanted: App management in the enterprise
- MichaelHildebrand
I used this text, pasted into the Device Queryfield for a given device in Intune, to do a 'live' check for the device's status (as long as the device is on-line): "WindowsRegistry('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing')"
Is MicrosoftUpdateManagedOptIn enabled by default, or must we take steps to set that value?
Prabhakar_MSFTThis is opt in policy that enterprises need to enable to be opted into Microsoft Managed Controlled Feature Rollout of certificate updates. Note that, this requires enabling Diagnostics data to enable Microsoft to have visibility to the device bucket to enable the Microsoft managed rollout.
Refer to following links
Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support for details on the policy
Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support for Intune based policies
Configure Windows diagnostic data in your organization - Windows Privacy | Microsoft Learn for how to configure diagnostic data
- Arden_White
Hi jbennett,
MicrosoftUpdateManagedOptIn is not enabled by default. You must enable it and ensure that the devices are sending Diagnostic data. This works for client versions of Windows. If you are managing server or IoT devices, you should be sure to focus on getting those updated.
Arden
If the Secure Boot certificate is not updated on a small set of machines before the deadline and the certificate expires, what would be the recommended next steps to remediate those devices?
- Arden_White
Hi VaishnavK1993.
the devices will continue to boot and operate normally. The steps to get them remediated are the same steps as before the certificates expire.
Test devices and apply across the devices. Update firmware where necessary.
There are a lot of good resources at this link below and these resources are being updated regularly.
Arden
- Prabhakar_MSFT
Hello VaishnavK1993, Has your organization attempted installation of certs and encountering errors when applying the updates? Secure Boot Update task logs error events in System event log indicating why update could not be applied. In most cases device may be in known block list
If your organization have not yet initiated update process, Microsoft recommend testing on few similar machines that represent your environment before applying the policy broadly. For devices that have known issues, have been blocked and you will see an error 1802 under TPM-WMI source in System event log indicating update could not be installed due to known issue. For most issues, OEMs may already have firmware updates available. If OEM has new firmware update available, recommended to install the latest available firmware updates to unblock the certificate updates.
- Heather_Poulsen
Welcome to “Secure Boot certificate updates explained” at Microsoft Technical Takeoff. Q&A is open now and throughout the week. Please post any questions or feedback here in the Comments. [Note: If your organization’s policies prevent you from seeing the video on this page, you can also tune in on LinkedIn.]
One more question: do we need to Update the SCCM boot images or will they continue working after June 2026? We use ADK Version 10.1.26100.1 (May 2024) and we are happy without updating to the latest ADK.
We also use ADK Version 10.1.26100.1 (May 2024) and this is enough. Starting with SCCM/MEM 2509 there's a new option on every single boot image called "Use Windows Boot Loader signed with Windows UEFI CA 2023". This is for PXE boots and will only work if you use the SCCM PXE Responder (WDS-less).
But as long as you don't revoke the old 2011 certificates on your devices, you don't need to set that option. If you're sure all your devices have the new 2023 certificates installed, you can then do the switch and consider revoking the old ones.
What exactly makes the clients to have high ConfidenceLevel, so that they receive the SecureBoot Cert. Update with monthly Windows updates?
If a client doesn't receive the new certificates with Windows updates until June, shall we attempt to force the installation with the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates?What is the official Microsoft's recommendation regarding Firmware Updates: shall we update the client's Firmware prior to installing new Secure Boot Certs or is it irrelevant?
- Prabhakar_MSFT
Thank you for your question. Microsoft is doing Controlled Feature Roll out on Consumer devices grouped by device attributes into a unique device bucket (Caled BucketID). BucketId represents group of devices that behave similarly when certificate updates are applied. If Microsoft observe enough evidence of successes within a bucket, respective device group is marked as High Confidence in the public Confidence Database (BucketConfidenceData.cab). If a device is identified as High Confidence, certificates will be automatically installed as part of monthly Security updates Microsoft release every Patch Tuesday.
For devices that are not visible to Microsoft, Enterprises need to take action. Microsoft recommend testing on few similar machines that represent your environment before applying the policy broadly. For devices that have known issues, have been blocked and you will see an error 1802 under TPM-WMI source in System event log indicating update could not be installed due to known issue. For most issues, OEMs may already have firmware updates available. If OEM has new firmware update available, recommended to install the latest available firmware updates to unblock the certificate updates.
Refer to Understanding Secure Boot Events 1802 and 1803 - Microsoft Support for details about known issues preventing the certificate updates.
We started our journey down this road in June 2024 when MS made the announcement that the new certs were only being regression tested with UEFI Firmware from March 2024 onward. Older firmware may work, but if it doesn't then "Oh well". Unless it fixed a specific problem or was required, updating BIOS/UEFI F/W wasn't a priority until this forced us to upgrade.
Operationalizing annual UEFI updates was a result of finding that a good number of manufacturer updates will only work in "steps". For instance if the existing version is 1.2.3 but the latest version is 1.30.2 you may have to step to 1.8, then 1.10, then 1.20, etc. Very time consuming.
As of today every device has the new cert deployed (it was in the April 2024 CU Security patch) and installed in the .db file. We have 80% of our environment with the 2011 cert in the .dbx file, booting solely off the 2023 cert. The remaining 20% are in manual remediation due to BIOS versions or Secure Boot being turned off. All new devices have been configured with only the 2023 cert.
The only real hardship is our field folks have to have 2 USB boot devices - 1 with the 2011 cert only and 1 with the 2023 cert.
In testing the process we were surprised - and not in a good way - at the initial failure rate when we forced devices to boot only from the 2023 cert prior to running BIOS version checks, if Secure Boot was enabled, and . Had we waited until MS forced the change it would have overrun our Help Desk with "I can't boot" calls.
Interesting feedback! On my side I was surprised by your experience regarding BIOS versions — I've been able to successfully deploy all the new certificates and the updated boot manager on Lenovo devices with BIOS from 2019 and 2020, without any issues.
Of course, OEM BIOS updates that embed the new certificates are always a good practice — but in my experience they are not strictly required. At least on every Lenovo I've tested, there was no minimum BIOS version needed to get the Microsoft certificates installed properly.
For your 20% in manual remediation, you might want to give https://github.com/claude-boucher/CheckCA2023 a try — it's a PowerShell + XAML utility that helped me a lot to diagnose machines where the process wasn't going smoothly. It visualizes all Secure Boot certificate stores, the relevant registry keys and the Event IDs Microsoft asks us to monitor. Might help identify exactly where things are getting stuck.
Would love to hear your feedback if you get a chance to try it! 😊
