Key Takeaways
- Secure Boot certificates used by Windows are expiring in June 2026, requiring organizations to deploy the newer 2023 certificates.
- Microsoft provides a built-in Intune policy (Enable Secure Boot Certificate Updates) to automate this process.
- When deployed, many devices report Intune Error 65000.
- On the device, the Enterprise Device Management event log reveals the real cause:
- Policy is rejected by licensing (0x82B00006).
Secure Boot is a Windows security feature that ensures your device starts using only trusted software. It works with UEFI firmware and uses digital certificates (called certificate authorities or CAs) to verify that boot components are legitimate and not tampered with by malware. These certificates have expiration dates, and the older Secure Boot certificates issued in 2011 are set to expire in June 2026.
Table of Contents
Table of Contents
How to Fix Secure Boot Certificate Expiry and Renewal Error 65000 in Microsoft Intune
To prepare for this, Microsoft introduced new Secure Boot certificates in 2023. Many newer PCs already include these updated certificates, and for older devices, Microsoft is delivering them through regular Windows monthly updates along with firmware updates from device manufacturers. Installing these updates in advance ensures that Secure Boot continues to function correctly and that devices remain protected and able to boot normally after the older certificates expire.
- Even though a device shows Windows Enterprise in Intune, Windows may still think it is Windows Pro if it was originally installed as Pro and later upgraded using subscription activation.
- Subscription activation does not change the licensing decision
- Because of this, Windows blocks the Secure Boot certificate update policy and shows Error 65000 – Policy is rejected by licensing. This does not mean you configured the policy wrong.
- It is a known Microsoft issue where Windows internal licensing check stops the policy from applying.
- Microsoft is working on a fix, and until then, many admins use PowerShell scripts from the community as a temporary workaround.
| Here in the Secure Boot, you can see 3 Settings |
|---|
| Configure High Confidence Opt Out |
| Configure Microsoft Update Managed Opt In |
| Enable Secureboot Certificate Updates |
- Understanding Windows 10 UEFI Secure Boot – How it helps to secure Pre-Boot Phase
- Windows Measured Boot – How it helps to secure Windows OS Platform
- What is Windows 365 Boot
Secure Boot Certificate Updates – Keeping Devices Protected
Secure Boot helps protect your devices from malware during startup, but its security depends on certificates that can expire over time. To keep devices secure, these certificates need to be updated or “rotated.” Microsoft has provided steps to do this, and Intune makes it easier by offering a built-in policy that automatically handles the Secure Boot certificate updates for your managed devices.
- Configure High Confidence Opt Out – Disabled
- Configure Microsoft Update Managed Opt In – Enabled
- Enable Secureboot Certificate Updates – (Enabled) Initiates the deployment of new secure boot certificates and related updates.
Verifying Secure Boot Status Across Your Devices
Most devices made after 2012 support Secure Boot and usually have it enabled by default. There are different methods for verifying Secure Boot Status Across Your Devices.
- GUI Method
- Go to Start > Settings > Privacy & Security > Windows Security > Device Security.
- Under Device Security, the Secure Boot section should indicate “On” if Secure Boot is enabled.
Confirm Secure Boot Using PowerShell
Open PowerShell as an administrator, type Confirm-SecureBootUEFI, and press Enter. If the command returns True, it confirms that Secure Boot is enabled on the device. The screenshots below give more details.
Confirm-SecureBootUEFI
Checking Secure Boot in Large-Scale Deployments
When managing a large number of devices, IT teams need a way to verify whether Secure Boot is enabled across all systems. This ensures that any Secure Boot updates or policies are applied only to devices that support the feature.
# Initialize result object in preparation for checking Secure Boot state
$result = [PSCustomObject]@{
SecureBootEnabled = $null
}
try {
$result.SecureBootEnabled = Confirm-SecureBootUEFI -ErrorAction Stop
Write-Verbose “Secure Boot enabled: $($result.SecureBootEnabled)”
} catch {
$result.SecureBootEnabled = $null
Write-Warning “Unable to determine Secure Boot status: $_”
}
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community and WhatsApp Channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.