Our devices are shipped with OEM Windows Pro and are later upgraded to Windows Enterprise via Intune policy. On a large subset of these devices, the Intune configuration profile used to opt devices into Microsoft‑managed Secure Boot certificate updates is failing with Intune error 65000, and corresponding event logs indicate the policy is being rejected by licensing rather than by Secure Boot or firmware state.

My question is:

• Is this a known and acknowledged issue when Secure Boot certificate updates are applied to devices that have undergone OEM Pro → Enterprise conversion via Intune? and what what is the workaround?