MC1193371 – How to use Microsoft Intune to update expiring Secure Boot certificates

Product:

Intune, Microsoft 365 admin center, Windows

Platform:

Online, Windows Desktop, World tenant

Status:

Change type:

Admin impact

Links:

Details:

You can now deploy, manage, and monitor Secure Boot certificate updates. This method represents an alternative to setting registry keys and using Group Policy. You can use Intune to deploy on all domain-joined Windows clients, opt out of high-confidence buckets, and opt in to Microsoft managing these updates.

When will this happen:
The following settings are now available in the Intune settings catalog:
Configure Microsoft Update Managed Opt-In
Configure High-Confidence Opt-Out
Enable SecureBoot Certificate Updates

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-12-09

updated:
2025-12-09

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Secure Boot Certificate Expiration
If Secure Boot certificates are not updated in time, devices may fail to boot or operate securely, leading to potential downtime and security vulnerabilities.
   - roles: IT Administrator, End User
   - references: https://support.microsoft.com/kb/5068198, https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

User Experience Degradation
Failure to implement the updates may result in users experiencing issues with device security features, leading to a lack of trust in the IT infrastructure.
   - roles: End User, IT Support
   - references: https://support.microsoft.com/kb/5068202, https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

Increased Support Tickets
Without proper preparation and communication regarding the changes, IT support may see a spike in tickets related to boot issues or security concerns from users.
   - roles: IT Support, Help Desk Staff
   - references: https://support.microsoft.com/topic/microsoft-intune-method-of-secure-boot-for-windows-devices-with-it-managed-updates-1c4cf9a3-8983-40c8-924f-44d9c959889d, https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Streamlined Secure Boot Management
Using Microsoft Intune for managing Secure Boot certificate updates can significantly reduce the complexity involved in the update process compared to traditional methods like Group Policy and registry keys. This streamlining leads to improved efficiency in IT operations and reduces the chances of errors during updates.
   - next-steps: Enable the new settings in Intune by navigating to Devices > Manage devices > Configuration, and create a new policy for Secure Boot updates. Ensure all relevant devices are enrolled and monitored for compliance.
   - roles: IT Administrators, System Engineers, Security Officers
   - references: https://support.microsoft.com/kb/5068198, https://support.microsoft.com/kb/5068202

Enhanced Security Posture
By deploying the latest Secure Boot certificates through Intune, organizations can enhance their security posture. This proactive approach helps in mitigating risks associated with outdated certificates and potential vulnerabilities, thereby protecting sensitive data and systems.
   - next-steps: Conduct an inventory of devices to identify those that require Secure Boot updates. Create a communication plan to inform users about the upcoming changes and their importance for security.
   - roles: CIOs, IT Security Managers, Compliance Officers
   - references: https://support.microsoft.com/topic/microsoft-intune-method-of-secure-boot-for-windows-devices-with-it-managed-updates-1c4cf9a3-8983-40c8-924f-44d9c959889d, https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

Improved User Experience
Automating the update of Secure Boot certificates through Intune reduces the manual intervention required from end-users and IT staff. This leads to a smoother user experience, minimizing disruptions and downtime associated with manual updates.
   - next-steps: Train IT staff on the new Intune settings and their impact on user experience. Monitor feedback from users post-implementation to identify any issues and address them promptly.
   - roles: Help Desk Staff, IT Support Teams, End Users
   - references: https://support.microsoft.com/kb/5068198, https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Microsoft Intune is like a remote control for managing the settings and updates on all the computers in your organization. Imagine you have a large office with many windows, and you need to ensure all the windows have the latest, most secure locks. Instead of going to each window individually to change the locks, you can use a central system to update them all at once. This is what Intune does for your computers.

Secure Boot certificates are like those locks on the windows. They ensure that when your computer starts up, it’s safe and hasn’t been tampered with. These certificates can expire, much like how locks might need to be replaced over time to ensure they’re still secure. The certificates from 2011 will expire in 2026, so it’s important to update them to the newer 2023 versions.

Previously, updating these certificates might have involved going into each computer’s settings individually or using Group Policy, which is like having a set of rules that apply to all computers in a certain group. Now, with Intune, you can manage these updates more efficiently from one place. It’s like having a master key that lets you change all the locks from your office desk.

To start using Intune for these updates, you’ll need to enable some new settings. Think of it as turning on the remote control feature for your window locks. You go into the Intune admin center, create a new profile for your Windows devices, and select the settings related to Secure Boot. Once you’ve done this, you can apply these settings to all the computers in your organization, ensuring they’re all updated with the latest security certificates.

This method offers a streamlined approach compared to the traditional ways of updating through registry keys or Group Policy. It’s all about making the process easier and more efficient, much like how a universal remote simplifies controlling multiple devices in your home.