Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
Gunnar_Putz's avatar
Gunnar_Putz
Copper Contributor
Feb 05, 2026

Rollout model clarification (Telemetry vs. Policy)

We observe that a significant number of devices already show “Certificate Status = Up to date” in the Intune Secure Boot Status Report, even though our Intune Secure Boot policies are currently still failing with the described error 65000.

Given this, we would appreciate clarification on the following:

Does Microsoft currently deploy the Secure Boot 2023 certificates using a hybrid rollout model (telemetry-based CFR combined with optional policy-based control)?

At what point will policy-based opt-in become the primary or required mechanism for IT-managed devices?

Will devices without an effective policy continue to receive the certificate updates automatically via telemetry-based rollout until Secure Boot enforcement begins in 2026?

  • Pearl-Angeles's avatar
    Pearl-Angeles
    Icon for Community Manager rankCommunity Manager
    Feb 06, 2026

    Thanks for your questions! The panelists answered them during the live AMA at around 5:08.