Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
nlmitchell's avatar
nlmitchell
Iron Contributor
Feb 05, 2026

Are you able to advise on the three SecureBoot options that are available in the Intune Settings Catalog

We would like to use this approach to ensure the updated certs for SecureBoot are deployed to our EUD's

  • nlmitchell's avatar
    nlmitchell
    Iron Contributor
    Feb 06, 2026

    Don't worry, already very well explained here - Registry key updates for Secure Boot: Windows devices with IT-managed updates - Microsoft Support

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot

    If i'm reading it right, the top one set to Enabled would set the HighConfidenceOptOut reg key in the above location to 1 which means updates will be applied as part of the LCU

    The second one set to enabled would set the MicrosoftUpdateManagedOptIn reg key in the above location to 1 which would enable the updates to come through the (Controlled Feature Rollout)

    The third one set to enabled would set the AvailableUpdates reg key in the above location to 0x5944 - Deploy all needed certs and update to the PCA2023 signed boot manager

    Please correct me if i'm wrong on any of this. I will be putting together an Intune policy as a test today to see how things go.