Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
HeyHey16K's avatar
HeyHey16K
Steel Contributor
Mar 12, 2026

We haven't deployed the Intune Secure Boot settings yet across our estate (see my previous post below) permitting devices to install the new certs. However, in the last two weeks, some of our Microsoft Surface Laptop 5s are unexpectedly displaying this message:


And their device record in Intune is now broken:

The Serial Number is not 123123123, DeviceModel would normally be "Microsoft Surface Laptop 5" and Device Manufacturer would normally be "Microsoft".

So I am just curious if this is an error we would see if something goes wrong with installing the new SB certs, or something else entirely?

Thank you 🙏

  • Cliff_Hughes's avatar
    Cliff_Hughes
    Copper Contributor
    Mar 12, 2026

    DFCI should be its own animal, and I don't believe it's directly related to the Secure Boot Certs https://learn.microsoft.com/en-us/autopilot/dfci-management Maybe someone enabled this in the environment or for Surface devices, if not check to ensure the user is not connecting external encrypted disks at boot.