Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-12-08 21:59:20
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
—
Services
Windows
Tags
Admin impact
Master tags
Admin, Security
Roadmap IDs
One-line summary
Admins can now use Intune to deploy, manage, and monitor Secure Boot certificate updates on Windows clients, with new settings available for streamlined management.
Similar updates
More like thisMC1192217 Secure Boot AMA: Ask Microsoft Anything on December 10
MC1192178 New Windows Autopatch reports on CVEs
MC1194065 Latest on Windows quality updates out of the box – now disabled by default
MC1192254 Microsoft Defender for Endpoint: New Microsoft Secure Score recommendations
MC1191616 Microsoft Secure Score: New recommendations for Microsoft Defender for Endpoint
MC1187848 Microsoft 365 Apps admin center: Enhanced rollback capabilities in Cloud Update (public preview)
Details
Body (from Message Center)
You can now deploy, manage, and monitor Secure Boot certificate updates. This method represents an alternative to setting registry keys and using Group Policy. You can use Intune to deploy on all domain-joined Windows clients, opt out of high-confidence buckets, and opt in to Microsoft managing these updates.
When will this happen:
The following settings are now available in the Intune settings catalog:
- Configure Microsoft Update Managed Opt-In
- Configure High-Confidence Opt-Out
- Enable SecureBoot Certificate Updates
How this will affect your organization:
As the 2011 Secure Boot certificates will start expiring in June 2026, it is essential that organizations start planning for and updating to 2023 certificates. You can now use Microsoft Intune, in addition to registry keys and Group Policy, to deploy, manage, and monitor this update process. The three new settings are disabled by default. Enable them to start taking advantage of the desired capabilities.
What you need to do to prepare:
To manage Secure Boot certificate updates in Intune, enable the new settings by navigating to the Microsoft Intune admin center:
- Under Devices > Manage devices, select Configuration.
- Select Create and select New Policy.
- Select Create a profile in the right-hand pane.
- Fill in Platform with Windows 10 and later.
- Select the Settings Catalog under the Profile Type.
- Begin creating a profile by giving the profile a name. Press Next.
- Under Configuration settings, select Add settings. In the Settings picker, search for Secure Boot. There should be three settings in the Secure Boot category.
- Select the desired settings for your organization: Configure Microsoft Update Managed Opt-In, Configure High-Confidence Opt-Out, and Enable SecureBoot Certificate Updates (preselected for you).
- Finish the profile for the devices that will use these settings.
Additional information:
- Read complete guidance at Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates.
- Compare this method to Registry key updates for Secure Boot: Windows devices with IT-managed updates.
- Compare this method to Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates.
- See how these methods work together in Secure Boot playbook for certificates expiring in 2026.
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": null,
"ai_actions": [
"Enable new Secure Boot settings in Intune",
"Create and assign configuration profiles for Windows devices",
"Plan migration to 2023 Secure Boot certificates"
],
"ai_master_tags": [
"Admin",
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "Admins can now use Intune to deploy, manage, and monitor Secure Boot certificate updates on Windows clients, with new settings available for streamlined management.",
"ai_topics": [
"Windows",
"Intune"
],
"category": "stayInformed",
"details_map": {},
"id": "MC1193371",
"importance": 0,
"is_major_change": false,
"last_modified": "2025-12-08T21:59:20Z",
"ms_products": [
"Windows"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Windows"
],
"severity": "normal",
"tags": [
"Admin impact"
],
"title": "How to use Microsoft Intune to update expiring Secure Boot certificates"
}
}