Event details

It's time for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Pearl-Angeles
Updated Apr 15, 2026
AMA
Jamie_Ansell's avatar
Jamie_Ansell
Iron Contributor
Apr 24, 2026

Hello.  I've go a query re: Hotpatch and Secure Boot certificate updates.  At around 17 minutes in the AMA it's mentioned that Secureboot certs are not applied with Hotpatch updates.  We were informed several weeks ago that the default Autopatch configuration for Intune managed devices is being changed this month, so that Hotpatch is turned on by default.  Does this mean that for those devices, they will not apply Secureboot certs to UEFI firmware until another baseline is released a few months down the line?  If so, then that would seem like really bad timing and would potentially change our approach to allowing Hotpatch to be turned on by default.  Will we be forced to apply them via CFR if so?  Can you clarify please, thanks.

HeyHey16K's avatar
HeyHey16K
Steel Contributor
Apr 28, 2026

Hi Jamie, 

We were hoping to use Intune to manage our SB certs deployment and we use Hotpatch. When we configured the Intune SB policy settings we kept getting the infamous 65000 error on all devices:

Originally this error was attributed to a Windows licensing issue, which Microsoft advised has now been resolved, but we're still seeing the above.

Not seen anything confirmed yet by Microsoft, but there are rumours going around from strong sources (e.g. Rudy Ooms) about Hotpatch being the root cause. We logged a support ticket to MS for help 6+ weeks ago but not had any response on it.

So we resorted to using Group Policy to deploy the above settings, which has worked well in our testing so far. Others have resorted to using Intune Remediations to overcome the Intune policy issue.