Event details
We have around 3700 devices. Mix of Dell and Lenovo. We started with a script to check for the Secure Boot Cert version to get an idea of how many devices were affected. We then enabled the Intune settings for secure boot to Enable the Initiation of deploying New Secure Boot certificates. Roughly 500 devices have failed this Intune Configuration though. All our devices are Bitlocker enabled. How are others that don't have Intune performing these upgrades without affecting Bitlocker?
We have around 100 devices that are shelved as spares or waiting for repair that may be running pre-2023 what are the expectations when putting these back into circulation?
- Jason_SandysJul 15, 2026
Microsoft
Hi JoshMcWilliams6070, Can you please expand on "Roughly 500 devices have failed". What exactly does "failed" mean here? Is there an error code shown in Intune for these devices for the Settings Catalog policy?
As for deploying the updated secure boot certs without impacting BitLocker, this is not expected in general. There are caveats and dependencies outside of Microsoft's control here including custom PCR configurations and firmware idiosyncrasies, but the general expectation is that BitLocker should not be impacted, and no recovery should be triggered. This is why we do and have strongly recommended testing representative devices across organizational fleets though to validate that none of these caveats are present and so that you can prepare if they are by ensuring BitLocker recovery keys are stored and available.
For shelved devices, there is nothing special. The same process (Windows Update) will update these devices per your policy or according to the high confidence database once they are back in operation.
- JoshMcWilliams6070Jul 15, 2026Occasional Reader
If Intune provided more details it would be nice. Intune for the Policy setting simply says
State Error
Error Type 2
Error Code 0.
We do have Secure Boot set to
Configure High Confidence Opt Out to Disabled
Configure Microsoft Update Managed Opt In to Enabled
Enable Secureboot Certificate Updates to (Enabled) Initiates the deployment of new Secure Boot certificates and related updates
We've had a few devices after the update require the Bitlocker key to unlock which has slowed down our progress with just 3 people to get all the devices up to date. I think around 30 so far out of around 2800. We have our keys stored and available via Entra, Intune, and our RMM depending on the team supporting the end user after. So its more of a time consuming situation more than a major problem. Since we purchase systems from multiple regions in the world we end up with a high variability between systems. Our small team does its best to try and test on as many different systems as possible during the testing Window.
Our RMM does provide a script to enable the update but since we have seen a small number of devices have the Bitlocker issue I wasn't sure if using Powershell automations in our RMM that triggers if the check script determines it does not have the updated cert. Not sure if it might be more problematic than Intune or if anyone has had an issues.- Jason_SandysJul 15, 2026
Microsoft
Can you please post a screenshot of the error you're seeing in Intune?
As for triggering a BitLocker recovery, this is has nothing to do with the method used to trigger the update. As noted, some UEFI firmware may incorrectly trigger this or if the default PCR settings have been changed it may get triggered as well. These are outside of Microsoft's control or visibility.