Intune enable secure boot. Is that understanding correct? Feb 23, 2026 · What Microsoft changed — the technical summary Microsoft published guidance and began distributing replacement Secure Boot certificates (the 2023 CA family) through Windows servicing and coordinated OEM firmware updates so devices don’t lose the ability to receive boot‑level protections after the 2011 certs expire. You can now use Microsoft Intune, in addition to registry keys and Group Policy, to deploy, manage, and monitor this update process. This procedure is derived from Microsoft’s Intune guidance and the Windows IT playbook. In this post, I’ll show you two ways to get ready for this transition and make sure your Intune-managed devices stay compliant and secure. Using Intune, we can make use of the native configuration profiles to do this. Dec 17, 2025 · If you don’t prepare in advance, devices could fail to boot or lose the ability to apply critical security updates after the rollover. Jan 27, 2026 · How to create Secure Boot Compliance Policy with Microsoft Intune. Validate every setting in a test environment first. Secure Boot registry keys In this section Registry keys How these keys work together Deployment using registry keys Device testing using registry keys Jun 26, 2025 · Prepare for the first global large-scale certificate update to Secure Boot. Secure Boot is a critical security feature that ensures devices boot only with trusted software, protecting them from rootkits and bootkits. 4 days ago · Microsoft Secure Boot certificates issued by the 2011 Certificate Authorities (CAs) are expiring starting June 2026. This is now fully fixed. Every Windows device with Secure Boot enabled must be updated to trust the 2023 certificates before expiration to retain security update support. Nov 11, 2025 · This method offers Secure Boot setting using Microsoft Intune that domain administrators can set to deploy Secure Boot updates to all domain-joined Windows clients. Dec 9, 2025 · As the 2011 Secure Boot certificates will start expiring in June 2026, it is essential that organizations start planning for and updating to 2023 certificates. Nov 13, 2025 · In this post I show you how I prepare my Intune devices for the Secure Boot certificate rollover / update that happens in 2026. Dec 8, 2025 · Below is a practical procedure to create an Intune profile that triggers and controls the Secure Boot certificate deployment process. Or we can enable Intune Secure Boot policies to try and push things along, but there’s no guarantee it actually speeds things up, and it could introduce risk on devices that aren’t fully ready (firmware/BIOS, etc). 4 days ago · Monitoring Secure Boot certificate installation status with Intune and PowerShell - Fri, Feb 27 2026 Windows Server 2025 security baseline 2602: 10 new settings - Thu, Feb 26 2026. The topic sounds small at first, but it affects every Windows device that uses Secure Boot. Microsoft provides a monitoring-only approach using Intune Remediations that runs a PowerShell detection script on enrolled devices Oct 14, 2025 · Other deployment methods, such as Group Policy, Microsoft Intune, and WinCS are described in the article Windows devices for businesses and organizations with IT-managed updates. The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. 3 days ago · Previously, Intune failed to initiate the Secure Boot DB update if the underlying base SKU was Pro — even though the device was running Enterprise via subscription. Dec 5, 2025 · Effectively, the “fix” at least for Windows Updates, is to enable a value within Registry to check for Secure Boot updates. afl gly mtg csf ist krm kuc lqq hjn gxc sbo hqr gix rlb tpg