Event details

It's time for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Pearl-Angeles
Updated Apr 15, 2026
AMA
Jamie_Ansell's avatar
Jamie_Ansell
Iron Contributor
Apr 24, 2026

Hello.  I've go a query re: Hotpatch and Secure Boot certificate updates.  At around 17 minutes in the AMA it's mentioned that Secureboot certs are not applied with Hotpatch updates.  We were informed several weeks ago that the default Autopatch configuration for Intune managed devices is being changed this month, so that Hotpatch is turned on by default.  Does this mean that for those devices, they will not apply Secureboot certs to UEFI firmware until another baseline is released a few months down the line?  If so, then that would seem like really bad timing and would potentially change our approach to allowing Hotpatch to be turned on by default.  Will we be forced to apply them via CFR if so?  Can you clarify please, thanks.

  • HeyHey16K's avatar
    HeyHey16K
    Steel Contributor
    Apr 28, 2026

    Hi Jamie, 

    We were hoping to use Intune to manage our SB certs deployment and we use Hotpatch. When we configured the Intune SB policy settings we kept getting the infamous 65000 error on all devices:

    Originally this error was attributed to a Windows licensing issue, which Microsoft advised has now been resolved, but we're still seeing the above.

    Not seen anything confirmed yet by Microsoft, but there are rumours going around from strong sources (e.g. Rudy Ooms) about Hotpatch being the root cause. We logged a support ticket to MS for help 6+ weeks ago but not had any response on it.

    So we resorted to using Group Policy to deploy the above settings, which has worked well in our testing so far. Others have resorted to using Intune Remediations to overcome the Intune policy issue.

  • mihi's avatar
    mihi
    Brass Contributor
    Apr 24, 2026

    It is already possible to deploy the latest Bucket confidence data to a machine without having to install the update it came with (avoiding the reboot). This is commonly used to use the Bucket confidence data shipped with a monthly non-security update without applying the rest of the changes.

    https://support.microsoft.com/en-us/topic/a-closer-look-at-the-high-confidence-database-32382469-4505-4ed4-915b-982eff09b5d2#bkmk_deploying_to_other_versions

    This will not include fixes of the servicing components (like the one shipped in April that addressed some Bitlocker recovery scenarios) but if your goal is to always use the latest bucket confidence data, it should solve your situation without having to fallback to regular LCU that require a restart.