Skip to main content
HashnodeConnor DeanConnor Dean

Command Palette

Search for a command to run...

Secure Boot Expiry Alert: Fix Affected Device Certificates (using the Intune Method)

Written by Connor Dean | Modern Workplace Specialist

Published
2 min read
Secure Boot Expiry Alert: Fix Affected Device Certificates (using the Intune Method)
C
Connor
Qualifications: MD-102
Part of seriesIntune Blog: Fixing Secure Boot Certificates

Continuing on from our detection

Now that we have identified secure boot certificates that are due for expiry in the previous article (Secure Boot Cert Expiry: Detection), we can remediate them using the steps below.

The easiest way to do this is via an Intune Policy which I will document here. Other methods are possible and can be found in the playbook linked below.

Resources

Playbook: Microsoft Playbook Article

Deploying the Intune Policy

Log in to https://intune.microsoft.com/

Navigate to ‘Devices’ → ‘Windows’ → ‘Configuration’

Click ‘Create’ and select Platform: ‘Windows 10 and later’, Profile Type: ‘Settings Catalog’ and choose ‘Create’ again.

Create a Windows Config Profile

Enter a name and description.

Enter a name and description for the profile

Add the settings, in the search enter ‘Secure boot’. Then select the 3 settings, see their descriptions below:

  • Enable SecureBoot Certificate Updates - This policy controls whether Windows initiates the Secure Boot certificate deployment process on devices.

  • Configure Microsoft Update Managed Opt In - This policy allows your organization to participate in a Controlled Feature Rollout of Secure Boot certificate update managed by Microsoft.

  • Configure High Confidence Opt-Out - This policy controls whether Secure Boot certificate updates are applied automatically through Windows monthly security and non-security updates.

I will be enabling the first two and will leave ‘Configure High Confidence Opt-Out’ disabled.

Further details can be seen here: Intune Method for Secure Boot Cert Fix | Microsoft Support

Settings Catalog settings

Then assign this to your devices, this will then allow them to receive the new certificates.

This can then be monitored by your remediation script or Windows Autopatch report mentioned in part 1.

Verifying Success

Go to the previously created remediation script or the Windows Autopatch report and wait for an update on if the device needs action.

If after a few syncs it is still reporting incorrectly then further diagnosis might be required.

It should look like this once successful.

Report

Detection Script

24 views

Comments

Join the discussion

No comments yet. Be the first to comment.

Intune Blog: Fixing Secure Boot Certificates

Part 1 of 2

A brief series outlining how to detect and then remediate the Secure Boot expiry coming in June 2026.

Up next

Secure Boot Expiry Alert: Detect Affected Devices Using Autopatch Reports

Written by Connor Dean | Modern Workplace Specialist

More from this blog

C

Connor Dean

5 posts

Secure Boot Expiry Alert: Fix Affected Device Certificates (using the Intune Method)