Updating Secure Boot Certificates on Windows Devices: My Personal Experience

Recently, I read Intune now provides a report about the Secure Boot status for managed Windows devices.
As you probably have read, important Windows boot certificates will expire in June 2026. You should read the support pages provided by Microsoft to get all the details.

The impact of Secure Boot certificate expiration
Microsoft is updating the Secure Boot certificates originally issued in 2011 to ensure Windows devices continue to verify trusted boot software. These older certificates begin expiring in June 2026. Devices that haven’t received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install. However, these devices will no longer be able to receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot level vulnerabilities.

Over time, this limits the device’s protection against emerging threats and may affect scenarios that rely on Secure Boot trust, such as BitLocker hardening or third-party bootloaders. Most Windows devices will receive the updated certificates automatically, and many OEMs provide firmware updates when needed. Keeping your device current with these updates helps ensure it can continue receiving the full set of security protections that Secure Boot is designed to provide.

Microsoft now provides a Secure Boot status report in Intune.
Open Intune > Reports > Windows quality updates > Reports > Secure Boot status.

I checked the state of my two notebooks and got the result “Not up to date”.
I was not surprised by the first notebook, as it had been offline for a while.

Secure Boot status report in Intune
Secure Boot status report in Intune

First, I tried to deploy a configuration profile via Intune with “Enable Secureboot Certificate Updates“. However, the deployment failed.

Intune configuration profile failed
Intune configuration profile failed

The error indicated a licensing problem. Microsoft also references this at the end of their documentation.

MDM PolicyManager: Policy is rejected by licensing, Policy: (EnableSecurebootCertificateUpdates)

Intune deployment error
Intune deployment error

I then found a Reddit thread describing the same issue.
Both of my PCs were upgraded from Windows 11 Pro to Windows 11 Enterprise, which appears to have caused a legacy licensing issue that has not yet been resolved.
As others recommended, the workaround is to skip the Intune configuration profile and instead force the Secure Boot certificate update directly via registry key. This sets the same key that the “Enable Secureboot Certificate Updates” policy would configure. Microsoft documents this approach here with all configuration details.

Following the recommendation, I set the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot – AvailableUpdates to 0x5944, then manually started the scheduled task to trigger the Secure Boot update. The task is located at: Task Scheduler > Microsoft\Windows\PI\Secure-Boot-Update.

Starting the Secure Boot update task manually
Starting the Secure Boot update task manually

The update failed with error ID 1802. Microsoft provides a list of known error IDs.

Secure Boot update failure 1802
Secure Boot update failure 1802

Error 1802 indicates an outdated BIOS.
The BIOS on my first PC was from 2023, so I updated it and repeated the steps. This time, I received error ID 1800, which means a reboot is required.
After rebooting and repeating the steps, the status changed to Updated. One additional reboot was needed to apply the updated certificates. My first PC now has the updated Secure Boot certificates.

Secure Boot update was successful
Secure Boot update was successful

The update on my second PC was much smoother, as it already had the latest BIOS version. The Secure Boot update status showed Updated after two reboots.

The Intune Secure Boot report reflected the updated state after a few hours.

Secure Boot updates were successful
Secure Boot updates were successful

For a final check, I asked Claude how to verify via PowerShell that the updated certificates are actually on the device.

Run the following commands in an admin-elevated PowerShell session:

PowerShell
foreach ($UEFIDb in @("db", "KEK")) {
    Write-Host "`n--- Secure Boot $UEFIDb ---"
    $Data = Get-SecureBootUEFI -Name $UEFIDb
    $Path = "$env:TEMP\SB_$UEFIDb.bin"
    [System.IO.File]::WriteAllBytes($Path, $Data.Bytes)
    certutil -dump $Path | Select-String "2023" -Context 2,2
}


All four Secure Boot certificates are present in the output. ✅

  • Windows UEFI CA 2023
  • Microsoft Option ROM UEFI CA 2023
  • Microsoft UEFI CA 2023
  • Microsoft Corporation KEK 2K CA 2023
Updated Secure Boot certificates
Updated Secure Boot certificates

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with more than 10 years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *