Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
ioannis-dp's avatar
ioannis-dp
Copper Contributor
Feb 26, 2026

I would like answer to two questions:

  1. Clear impact on what happens if we only apply the Windows updates for certificates and not the OEM updates. From my understanding, the SB certificates will be updated but if OEM firmware isn't updated, then the only impact is that in case of BIOS/SB Keys reset, the old keys will return. But this alone doesn't mandate BIOS updates to hundreds and hundreds of devices.
  2. When will the Intune 65000 error will be fixed in the respective policy? It is mentioned to be fixed by Feb 27 but we are still seeing this.

Thanks,

Prabhakar_MSFT's avatar
Prabhakar_MSFT
Icon for Microsoft rankMicrosoft
Mar 12, 2026

On #1, you have called out correctly on what happens if BIOS is reset to factory defaults.  If device moves back to old certs, it will result in device not-trust new boot manager due to absence of 2023 certificate. Device in this situation can be recovered using SecureBootRecovery.efi app . Steps to recover from this condition is published at 

https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c

#2 - We are aware of another issue which will be addressed in April update. Can you share Windows version (Snapshot of WinVer) where you are observing the issue?