Event details

Join us in May for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they start expiring in June of 2026. If you've already bookmarked Sec...
Heather_Poulsen
Updated May 18, 2026
AMA
Technical Takeoff
PSUnicorn's avatar
PSUnicorn
Copper Contributor
May 18, 2026

If using Option 1 in the Playbook to Deploy certificates using Microsoft Intune does this only apply Mitigation 1 and 2? Is Mitigation 3 and 4 applied automatically via enabling the CFR option? If I want to control Mitigation 3 and 4 rollout, I'm guessing I need to deploy the regkeys manually/separately from enabling CFR?

  • mihi's avatar
    mihi
    Brass Contributor
    May 18, 2026

    By mitigation 3 and 4 I assume you refer to the SVN update and the revocation of 2011 cert?

    No automatic process (CFR or any else) will apply those. You can only apply them by manually setting the required AvailableUpdates flags in registry.

    • PSUnicorn's avatar
      PSUnicorn
      Copper Contributor
      May 19, 2026

      You assumed correctly. Thank you for the response. We will continue to rollout the revocation of 2011 (mitigation 3) cert and SVN update (mitigation 4) manually.