Event details
Hello,
I’m hoping to get some clarification on an issue related to Secure Boot certificate management through Intune. I previously posted a question in a past fforum that may have been missed, so I was hoping this one won't be given the importance and timing of the upcoming SecureBoot expiry.
This may have already been addressed, but we are still seeing inconsistent results and need guidance on the expected behaviour.
We have an Intune policy configured to enable Microsoft’s management of Secure Boot certificates. Historically, when enabling this policy, it failed to apply with error 65000. At the time, the understanding was that this occurred because a large portion of our laptop fleet consists of Windows 11 Pro devices that are upgraded to Enterprise via user-based licensing at sign-in.
We were advised that this limitation was addressed in a January update, and that Pro-based devices should become supported once their Intune subscription refreshed. Guidance also indicated that this refresh could be manually triggered using:
- ClipDLS.exe removesubscription
- ClipRenew.exe
While these commands do refresh the subscription, a significant amount of time has now passed, and we would have expected this issue to resolve organically as devices checked back in. However, we are still seeing limited readiness across our environment. Currently, only 233 out of approximately 700 laptops report as ready for the upcoming Secure Boot certificate expiration in June.
We are aware that this can be addressed via a registry-based workaround, and we have confirmed through testing that this approach is effective. In fact, the reason our compliance numbers are as high as they are today is due to manually applying this registry update on affected devices. However, our leadership would strongly prefer an official, supported Microsoft solution if one exists, rather than relying on a workaround.
At this point, we’re trying to determine whether this issue is still expected to self-resolve through subscription refresh and normal device check-in, or if we should formally proceed with deploying a mitigation across the fleet, given the approaching June deadline.
Any official guidance, confirmation of expected behaviour, or recommended next steps would be greatly appreciated.
Thank you for your time and assistance.
- Jason_Sandys
Microsoft
Hi MaxMatV, In addition to the service side licensing issue addressed by the two commands you pasted above, an additional issue was identified in Windows itself that result in the same challenge. This was addressed recently. From memory, this was address in 2D/3B (3B = the March cumulative update) but it may have been in 3D/4B (4B = April cumulative update).
If after installing the latest April CU you are still experiencing issues, please open a support case as this explicit challenge should now be addressed fully and thus would require additional investigation.
