Key Takeaways
- Error 65000 does not automatically mean Secure Boot is disabled.
- Subscription-based Windows Enterprise activation is a key trigger
- Intune relies on Windows licensing verification
- PowerShell verification is the most reliable check
- Secure Boot certificates are expiring in 2026
Hey, let’s discuss about How to Fix Secure Boot Certificate Expiry and Renewal Error 65000 in Microsoft Intune. Secure Boot Error 65000 in Microsoft Intune often looks serious, but in most cases it is not a real problem. Secure Boot is usually already enabled and protecting the device. The error appears because Intune is unable to correctly verify Secure Boot during policy evaluation. This issue mainly happens on devices that are upgraded from Windows Pro to Windows Enterprise using subscription activation (E3/E5).
Table of Contents
Table of Contents
Why Secure Boot Error 65000 Appears in Microsoft Intune
Intune depends on Windows licensing checks, and these checks do not fully understand subscription-based activation. As a result, Intune reports an error even though Secure Boot is working correctly. At the same time, Microsoft Secure Boot certificates are expiring in 2026, which makes it important for organizations to prepare in advance.
| Problem | Details |
|---|---|
| Secure Boot Error | Intune shows an error but Secure Boot is usually ON. |
| Enterprise Upgrade | Upgrading Windows to Enterprise via subscription can trigger this. |
| PowerShell Check | Use PowerShell to see if Secure Boot is actually enabled. |
| Certificate Expiry | Secure Boot certificates expire in 2026 and need updating |
- How to Fix Intune Android App Installation Error 0xC7D14FBB
- 3 Easy Ways to Fix Pen Drive Not Recognized Error in Windows 11
- What is Windows 365 Boot
Secure Boot Error 65000 in Intune
Intune shows Secure Boot Error 65000 when it cannot validate Secure Boot through its internal checks. This does not mean Secure Boot is turned off. In most cases, the device firmware already has Secure Boot enabled, but Intune fails to confirm it and marks the policy as failed.
Windows Enterprise Subscription Activation Causes the Error
Many devices start with Windows Pro and are upgraded to Windows Enterprise through Microsoft Entra ID subscription activation. The Windows Software Licensing API does not properly recognize this type of activation. Because of this, Intune believes the device does not meet Secure Boot requirements, even though it actually does.
PowerShell Confirms Secure Boot Is Enabled
When Secure Boot is checked using PowerShell, it directly reads the firmware status instead of relying on Intune or licensing APIs. This is why PowerShell usually shows Secure Boot as enabled while Intune reports an error. This confirms that the issue is with reporting, not with device security.
Secure Boot Certificates Expiring in 2026
Microsoft Secure Boot certificates stored indevice firmware are expiring in 2026. If these certificates are not updated, devices may fail to trust future boot files and updates. This can lead to boot issues and reduced protection against firmware-level attacks, making certificate updates critical for long-term security.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community and WhatsApp Channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.