Event details

It's time for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Pearl-Angeles
Updated Apr 15, 2026
AMA
veck81's avatar
veck81
Occasional Reader
Apr 23, 2026

We have several devices which are managed by Intune and WUfB - these devices do not have a high ConfidenceLevel assigned (None or Under Observation) however all SecureBoot Certificates were updated.

We have not deployed the Intune Secure Boot Certificate Policy, neither set the AvailableUpdates regkey to kick-off the update.
Looking for clarification how the certificates were updated.

  • mihi's avatar
    mihi
    Brass Contributor
    Apr 23, 2026
    • Are you absolutely sure that the devices did not come with the new certificates applied from the factory?
    • Do you participate in CFR? CFR can result in updated certificates even if the bucket is not in high confidence.