How to Fix Secure Boot Certificate Expiry Error 65000 in Microsoft Intune

Resolve Intune Error 65000 when deploying Secure Boot certificate updates by addressing licensing policy rejections and implementing proper remediation strategies for Windows Pro and Enterprise devices.

Evan Mael

March 18, 2026 18 min —

hardintune 7 steps 18 min

Why Does Secure Boot Certificate Error 65000 Occur in Microsoft Intune?

Microsoft Secure Boot certificates are expiring throughout 2026, prompting organizations to deploy certificate updates through Intune policies. However, many IT administrators encounter Error 65000 during deployment, which stems from licensing policy rejections rather than actual certificate update failures. This error typically affects Windows Pro editions and subscription-upgraded Enterprise devices where the local OS licensing evaluation conflicts with Intune's policy delivery mechanism.

Deepen your knowledge

01How to Enable Tamper Protection for Your Organization Using Microsoft Intune

02Sync SharePoint Libraries Using Microsoft Intune

03How to Block JavaScript and VBScript from Launching Downloaded Executables in Intune

04How to Configure Windows Security Updates During OOBE with Intune ESP

05Block USB Drives Using Microsoft Intune Attack Surface Reduction Policies

What Makes This Error Particularly Challenging to Resolve?

The complexity of Error 65000 lies in its misleading nature. While Intune reports policy deployment failures, the underlying Secure Boot functionality often remains intact and functional. Microsoft implemented service-side fixes starting January 27, 2026, with complete license renewal resolution by February 27, 2026. However, the gradual rollout means some tenants continue experiencing issues due to licensing metadata propagation delays.

How Does Microsoft's 2026 Certificate Expiry Timeline Impact Your Environment?

Understanding the timeline is crucial for proper remediation planning. The certificate expiry affects all Windows devices with UEFI firmware supporting Secure Boot, regardless of manufacturer or model year. Organizations must ensure devices meet the required servicing baseline with post-January 2026 cumulative updates before attempting certificate renewal. This tutorial provides a systematic approach to diagnose, remediate, and monitor Secure Boot certificate updates while working around the licensing-related Error 65000.

Implementation Guide

Full Procedure

Verify Current Secure Boot Status and Device Licensing

Before troubleshooting Error 65000, confirm the actual Secure Boot status on affected devices. Despite Intune reporting failures, Secure Boot is often functioning correctly.

Open PowerShell as Administrator on the affected device and run:

Confirm-SecureBootUEFI

This should return True if Secure Boot is enabled. Next, check the Windows licensing status:

slmgr /dli

Look for the edition information. Common problematic scenarios include:

Windows Pro OEM edition with E3/E5 subscription activation
Enterprise licenses that reverted to Pro after subscription changes
Devices showing "Windows 10/11 Pro" despite Enterprise licensing

Verification: Document the Secure Boot status and licensing edition for each affected device. If Secure Boot returns True, the certificate update may have succeeded despite the Intune error.

Pro tip: Create a PowerShell script to collect this information from multiple devices using Invoke-Command for bulk verification.

Check Windows Update Baseline and Cumulative Updates

Error 65000 often occurs when devices lack the required servicing baseline. Microsoft requires specific cumulative updates from January 2026 onwards for Secure Boot certificate management.

Check the installed updates on the device:

Get-HotFix | Where-Object {$_.InstalledOn -gt (Get-Date "2026-01-01")} | Sort-Object InstalledOn -Descending

Alternatively, use Windows Update history:

Get-WmiObject -Class Win32_QuickFixEngineering | Where-Object {$_.InstalledOn -gt "1/1/2026"} | Select-Object HotFixID, Description, InstalledOn

In Microsoft Intune admin center, navigate to Reports > Windows quality updates to verify update compliance across your device fleet.

If devices are missing recent cumulative updates, deploy them immediately through Intune or Windows Update for Business before proceeding with Secure Boot policies.

Verification: Confirm devices have cumulative updates from January 2026 or later. Check the Windows Update history shows successful installation of security updates.

Warning: Devices without the required servicing baseline will consistently fail Secure Boot certificate updates regardless of licensing status.

Create Secure Boot Certificate Update Policy in Intune

Configure the proper Intune policy to enable Secure Boot certificate updates using the Settings Catalog approach, which provides more granular control than traditional device configuration profiles.

In the Microsoft Intune admin center:

Navigate to Devices > Configuration profiles
Click Create profile
Select Windows 10 and later as the platform
Choose Settings catalog as the profile type
Click Create and provide a descriptive name like "Secure Boot Certificate Update - Pilot"

In the settings configuration:

Click Add settings
Search for "SecureBoot" in the settings browser
Expand the SecureBoot category
Select Enable Secureboot Certificate Updates
Set the value to 1 (Enabled)

Configure the assignment scope to target a pilot group initially. Create a device filter based on specific models or OS versions that have confirmed update baseline compliance.

Verification: After creating the policy, check the assignment status shows "Pending" or "Success" for pilot devices. Monitor the policy deployment in Devices > Monitor > Device configuration.

Pro tip: Start with a small pilot group of 10-20 devices to validate the policy works before broad deployment. Include devices from different hardware manufacturers to catch OEM-specific issues.

Manually Trigger Secure Boot Certificate Update Task

After deploying the Intune policy, manually trigger the Secure Boot certificate update process to accelerate testing and validation.

On the target device, open PowerShell as Administrator and run:

schtasks /Run /TN "\Microsoft\Windows\SecureBoot\CertificateUpdate"

Check if the scheduled task exists and its last run status:

Get-ScheduledTask -TaskPath "\Microsoft\Windows\SecureBoot\" -TaskName "CertificateUpdate" | Get-ScheduledTaskInfo

If the scheduled task approach fails, implement the registry-based fallback method:

# Enable the Secure Boot certificate update registry key
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "ConfigureMicrosoftUpdateManagedOptIn" -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\ConfigureMicrosoftUpdateManagedOptIn" -Name "1" -Value 1 -Type DWord

# Restart the Windows Update service to process the change
Restart-Service -Name "wuauserv" -Force

Monitor the Windows Event Logs for Secure Boot certificate update activity:

Get-WinEvent -FilterHashtable @{LogName='System'; ID=1074,1076} -MaxEvents 10

Verification: Check the scheduled task last run result shows "Success (0x0)". Verify the registry key was created successfully and the Windows Update service restarted without errors.

05

`Monitor Policy Deployment and Collect Diagnostic Information`

Track the Secure Boot policy deployment status and collect detailed diagnostic information to identify the root cause of Error 65000 occurrences.

In Microsoft Intune admin center, navigate to Reports > Windows quality updates > Secure Boot status to view deployment metrics across your device fleet.

On individual devices experiencing Error 65000, collect detailed policy information:

# Check Intune policy processing logs
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin'} -MaxEvents 20 | Where-Object {$_.Message -like "*65000*" -or $_.Message -like "*SecureBoot*"}

Examine the specific error details in the registry:

# Check for policy rejection details
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\SecureBoot" -ErrorAction SilentlyContinue

Look for the specific error code pattern indicating licensing issues:

# Search for the licensing policy rejection error
Get-WinEvent -FilterHashtable @{LogName='Application'} | Where-Object {$_.Message -like "*POLICYMANAGER_E_AREAPOLICY_NOTAPPLICABLEINEDITION*"}

Document devices showing Error 65000 but with functional Secure Boot (confirmed in Step 1) versus devices with actual certificate update failures.

Verification: Collect error logs showing the specific 0x82B00006 licensing rejection code. Confirm whether the error is cosmetic (Secure Boot working) or functional (certificate update failed).

Warning: Don't rely solely on Intune policy compliance reports for Secure Boot status. Always verify actual device functionality using PowerShell commands.

06

`Implement Licensing Workarounds for Persistent Error 65000`

For devices still experiencing Error 65000 after Microsoft's service-side fixes (deployed January-February 2026), implement targeted workarounds while waiting for complete licensing propagation.

First, verify if your tenant has received the licensing service updates:

# Check tenant licensing service version (run from any domain-joined device)
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" -Name "LastLoggedOnProvider" -ErrorAction SilentlyContinue

For devices with subscription-activated Enterprise licenses showing as Pro, force license refresh:

# Force Windows license refresh
slmgr /ato
slmgr /dli

# Clear licensing cache and re-evaluate
slmgr /cpky
slmgr /upk
slmgr /ipk [Your-Enterprise-Product-Key]
slmgr /ato

Create a remediation script for bulk deployment through Intune Remediations:

# Detection script
$secureBootEnabled = Confirm-SecureBootUEFI
$policyError = Get-WinEvent -FilterHashtable @{LogName='Application'} -MaxEvents 50 | Where-Object {$_.Id -eq 65000}

if ($secureBootEnabled -and $policyError) {
    Write-Output "Remediation needed: Secure Boot enabled but policy error present"
    exit 1
} else {
    Write-Output "Secure Boot status acceptable"
    exit 0
}

Deploy this as an Intune Remediation with a corresponding remediation script that forces the certificate update process.

Verification: Monitor the remediation deployment success rate and track which devices continue to report Error 65000 despite functional Secure Boot.

Pro tip: For persistent issues affecting more than 10% of your fleet, open a Microsoft support case referencing the Secure Boot certificate expiry timeline and request tenant-specific licensing propagation status.

07

`Validate Certificate Update Success and Long-term Monitoring`

Establish comprehensive validation procedures to confirm Secure Boot certificate updates completed successfully and implement ongoing monitoring for future certificate renewals.

Verify the certificate update timestamp on devices:

# Check Secure Boot certificate information
Get-SecureBootPolicy | Select-Object -Property *

# Verify certificate update completion
Get-WinEvent -FilterHashtable @{LogName='System'; ID=1074} | Where-Object {$_.TimeCreated -gt (Get-Date).AddDays(-7) -and $_.Message -like "*SecureBoot*"}

Create a comprehensive validation report combining Intune data with device-level verification:

# Comprehensive Secure Boot status check
$results = @{
    'SecureBootEnabled' = Confirm-SecureBootUEFI
    'LastCertificateUpdate' = (Get-WinEvent -FilterHashtable @{LogName='System'; ID=1074} | Where-Object {$_.Message -like "*SecureBoot*"} | Select-Object -First 1).TimeCreated
    'PolicyError65000' = (Get-WinEvent -FilterHashtable @{LogName='Application'} | Where-Object {$_.Id -eq 65000} | Measure-Object).Count
    'WindowsEdition' = (Get-ComputerInfo).WindowsEdition
    'LastUpdateInstall' = (Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 1).InstalledOn
}

$results | ConvertTo-Json

Set up proactive monitoring using Intune Remediations to detect future certificate expiry issues:

Create a detection script that checks certificate validity periods
Schedule monthly execution to identify devices approaching certificate expiry
Configure automated alerts when certificate updates fail

Document the resolution process and create a playbook for future certificate renewal cycles, as Microsoft Secure Boot certificates will continue to expire periodically.

Verification: Confirm all pilot devices show successful certificate updates with timestamps from the past 30 days. Validate that Error 65000 no longer appears in recent event logs while Secure Boot remains enabled.

Pro tip: Export the validation results to a CSV file and compare against your Intune device inventory to identify any devices that may have been missed during the remediation process.

`Frequently Asked Questions`

Why does Intune show Error 65000 for Secure Boot certificates when the device actually has Secure Boot enabled?+

Error 65000 occurs due to licensing policy rejection at the Windows OS level, not because Secure Boot certificate updates failed. The error code 0x82B00006 indicates that Windows rejected the Intune policy due to edition licensing conflicts, particularly on Pro editions or subscription-upgraded Enterprise devices. However, the underlying Secure Boot functionality and certificate updates often succeed through alternative mechanisms. Always verify actual Secure Boot status using Confirm-SecureBootUEFI PowerShell command rather than relying solely on Intune policy compliance reports.

What specific Windows updates are required before deploying Secure Boot certificate policies through Intune?+

Devices must have cumulative updates from January 2026 or later to support Microsoft's Secure Boot certificate renewal process. These updates include the required servicing baseline and licensing metadata necessary for proper certificate management. Check installed updates using Get-HotFix PowerShell command and filter for updates installed after January 1, 2026. Deploy missing cumulative updates through Intune or Windows Update for Business before attempting Secure Boot policy deployment to avoid persistent Error 65000 occurrences.

How can I manually trigger Secure Boot certificate updates when Intune policies fail with Error 65000?+

Use the Windows scheduled task approach by running 'schtasks /Run /TN "\Microsoft\Windows\SecureBoot\CertificateUpdate"' in PowerShell as Administrator. If the scheduled task fails, implement the registry fallback method by creating the ConfigureMicrosoftUpdateManagedOptIn registry key with value 1 under HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot, then restart the Windows Update service. This bypasses the Intune policy delivery mechanism while still enabling certificate updates through Windows Update infrastructure.

What's the difference between Windows Pro and Enterprise licensing that causes Secure Boot certificate Error 65000?+

The error primarily affects Windows Pro OEM editions with E3/E5 subscription activations and Enterprise licenses that reverted to Pro after subscription changes. Microsoft's licensing service evaluates the base edition (often Pro) rather than the subscription-activated Enterprise features when processing Secure Boot policies. The service-side fixes deployed between January and February 2026 addressed most Pro edition restrictions, but gradual rollout means some tenants still experience licensing evaluation conflicts. Use 'slmgr /dli' to check actual edition status and force license refresh with 'slmgr /ato' if needed.

How should I monitor Secure Boot certificate deployment success across my entire device fleet in Intune?+

Use Microsoft Intune admin center Reports > Windows quality updates > Secure Boot status for fleet-wide visibility, but supplement with device-level PowerShell verification using Confirm-SecureBootUEFI. Create Intune Remediations with detection scripts that check both policy compliance and actual Secure Boot functionality, as Error 65000 can create false negatives in compliance reporting. Implement monthly monitoring schedules to proactively identify certificate expiry issues and track devices that may have been missed during initial deployment. Export validation results comparing Intune policy status with PowerShell verification to identify discrepancies requiring manual intervention.

Written by
Evan Mael
Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags

#intune#secureboot#certificate

`Further Intelligence`

Deepen your knowledge with related resources


tutorial
Windows
How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
Deep Dive
tutorial
Networking
How to Deploy Network Locations via Group Policy in Windows Server 2025
Deep Dive
tutorial
Cybersecurity
How to Configure Default Inbound Action for Public Profile in Windows Defender
Deep Dive

`Discussion`

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account