Ask Microsoft Anything: Secure Boot - Windows Tech Community

Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. We recently published the first version of the Secure Boot playbook, o...

Heather_Poulsen

Updated Dec 09, 2025

AMA

jhcdoc

Copper Contributor

Dec 08, 2025

For machines imaged with Win11 Pro Edition and signed into Work accounts that are E5 licensed, using the Intune Settings catalog CSP for Secure Boot, we are seeing the following errors in Event Viewer:

Event ID 404: MDM ConfigurationManager: Command failure status. Configuration Source ID: (***Omitted***), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/Config/SecureBoot/EnableSecurebootCertificateUpdates), Result: (Unknown Win32 Error code: 0x82b00006).
Event ID 809: MDM PolicyManager: Set policy int, Policy: (EnableSecurebootCertificateUpdates), Area: (SecureBoot), EnrollmentID requesting set: (***Omitted***), Current User: (Device), Int: (0x5944), Enrollment Type: (0x6), Scope: (0x0), Result:(0x82B00006) Unknown Win32 Error code: 0x82b00006.
Event ID 827: MDM PolicyManager: Policy is rejected by licensing, Policy: (EnableSecurebootCertificateUpdates), Area: (SecureBoot), Result:(0x82B00006) Unknown Win32 Error code: 0x82b00006.
Event ID 2204: Caching uri for blocking mapped GP location. URI: (./Device/Vendor/MSFT/Policy/Config/SecureBoot/EnableSecurebootCertificateUpdates), Operation: (0x0).
Event ID 2204: Caching uri for blocking mapped GP location. URI: (./Device/Vendor/MSFT/Policy/Config/SecureBoot/EnableSecurebootCertificateUpdates), Operation: (0x0).

Seems after creating the previously non-existent Secure Boot key at Computer\HKEYLOCALMACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\ fixes errors related to deployment attempts of the ConfigureHighConfidenceOptOut_ values, but not the MicrosoftManagedOptIn and AvailableUpdates values:

Using slmgr /dli, noticing the Windows OS edition is Professional, with the Subscription edition of the user account that is E5 licensed as Enterprise:

Created an Intune detection script that also verifies the same OS edition in-relation to CSP failures (Event 827, etc.):

Does the Secure Boot CSP require Enterprise OS edition, rather than just Win11 Enterprise subscription from the user account context?

If so, does this then mean we would need to upgrade the OS edition using the Intune template to Enterprise with a valid key? We are assuming other CSPs will also fail given the OS edition is Pro and not Enterprise.

Thanks for your feedback on this!

prabhv1982

Microsoft

Dec 10, 2025

Is Windows 11 Pro edition where issue is being observed has been updated with latest cumulative updates from Microsoft? If not, request you to update the client devices to latest available Windows updates and retry applying the policies.

jhcdoc
Copper Contributor
Dec 10, 2025
Our machines are continually updated with Autopatch/Hotpatch, which are up to date. We've tested several up to date machines and see the same errors across the board (Intune deployment error 26000 and Event Viewer error 827 as screenshotted in OP). These machines have been imaged using Win11 24H2 ISO (Pro edition) provided by your software download link for the ISO, then upgraded to 25H2 via Autopatch feature update.
threedaysatsea
Copper Contributor
Dec 10, 2025
We are seeing the same issue in our environment. ConfigureMicrosoftUpdateManagedOptIn is throwing "Policy is rejected by licensing" error 0x82B00006. Devices are Windows 11 enterprise user based subscription activated. 24H2 with November's cumulative updates applied.
- prabhv1982
  Microsoft
  Dec 10, 2025
  Thank you for reporting this issue. We are investigating this issue and will be addressed in future windows update

Event details