Skip to Content

MC1193371: How to use Microsoft Intune to update expiring Secure Boot certificates

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1193371: How to use Microsoft Intune to update expiring Secure Boot certificates

Summary

  • New Intune settings available for managing Secure Boot certificate updates: Configure Microsoft Update Managed Opt-In, Configure High-Confidence Opt-Out, and Enable SecureBoot Certificate Updates.
  • Organizations should prepare for the expiration of 2011 Secure Boot certificates starting June 2026 and adopt 2023 certificates.
  • Three new settings are disabled by default; administrators need to enable them to utilize the features.
  • Management of Secure Boot certificate updates can be done in Intune as an alternative to registry keys and Group Policy.
  • Detailed guidance is available for implementing these changes and comparing methods.

Admin Impact: Medium
User Impact: Low
Release Start: 09 Dec 2025
Release End: 09 Dec 2025
Services: Windows, Intune
Category: Stay informed
Tags: Admin Action

History

12/8/2025 Item Added to Message Center

Microsoft Message

You can now deploy, manage, and monitor Secure Boot certificate updates. This method represents an alternative to setting registry keys and using Group Policy. You can use Intune to deploy on all domain-joined Windows clients, opt out of high-confidence buckets, and opt in to Microsoft managing these updates.

When will this happen

The following settings are now available in the Intune settings catalog:

  • Configure Microsoft Update Managed Opt-In
  • Configure High-Confidence Opt-Out
  • Enable SecureBoot Certificate Updates

How this will affect your organization

As the 2011 Secure Boot certificates will start expiring in June 2026, it is essential that organizations start planning for and updating to 2023 certificates. You can now use Microsoft Intune, in addition to registry keys and Group Policy, to deploy, manage, and monitor this update process. The three new settings are disabled by default. Enable them to start taking advantage of the desired capabilities.

What you need to do to prepare

To manage Secure Boot certificate updates in Intune, enable the new settings by navigating to the Microsoft Intune admin center:

  1. Under Devices > Manage devices, select  Configuration.
  2. Select  Create and select  New Policy.
  3. Select Create a profile in the right-hand pane.
  4. Fill in Platform with Windows 10 and later.
  5. Select the  Settings Catalog under the Profile Type. ​​​​​
  6. Begin creating a profile by giving the profile a name. Press Next.​​​​​​
  7. Under  Configuration settings, select Add settings. In the Settings picker, search for Secure Boot. There should be three settings in the Secure Boot category.
  8. Select the desired settings for your organization: Configure Microsoft Update Managed Opt-In, Configure High-Confidence Opt-Out, and Enable SecureBoot Certificate Updates (preselected for you).
  9. Finish the profile for the devices that will use these settings.

Additional information

  • Read complete guidance at Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates.
  • Compare this method to Registry key updates for Secure Boot: Windows devices with IT-managed updates.
  • Compare this method to Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates.
  • See how these methods work together in Secure Boot playbook for certificates expiring in 2026.