Late to the Party: Secure Boot & The Chamber of Secrets

This writeup assumes that you’re on Intune.

Ugh! I’ve been putting this off for far too long. Secure Boot certificates expire next month (June 2026), and I’m just finding time to dabble with my environment. What a mess!

I remember three or so years ago, when Secure Boot remediations were first brought to the spotlight. Microsoft’s pathetic attempt at providing a solution gave me a headache — “apply this reg setting. Reboot. Apply another reg setting. Then hope and pray it takes, and hope you get the updated certs in the next LCU.” Or something like that, it’s been years and I’ve since moved to a new environment. I remember having to write it via an SCCM Task Sequence for HP devices.

It’s now one month out from SecureBoot Doomsday and has Microsoft made it any easier to apply the remediation? Well, kind of… Let’s dig in.

Intune or as a previous boss called it: “i-Tune”

Microsoft has made some serious overhauls to reporting Secure Boot status. There’s a lovley report buried in Reports > Windows Autopatch / Windows quality updates > Reports > Secure Boot status, and it kind of makes sense? Its not the greatest, but its something!

I’m going to break down some of the properties to the best of my knowledge:

  • 1. Certificate status: This is pretty self explanatory. Are your devices up to date with the latest certs?
  • 2. Secure Boot Trust Setting:
    • “Microsoft Only” vs “Microsoft and non-Microsoft”: In most cases you’re going to want this to be “Microsoft and non-Microsoft”. This ensures that 3rd party resources that need to load at boot are allowed. Only go with the “Microsoft Only” plan if you’re environment is super restrictive, like GC restrictive.
  • 3.Confidence level: This is a silly metric in my opinion. Its a check against Microsoft’s testing and research among the OEM hardware vendors to see if the remediation will take properly.

My biggest concern was the “Microsoft Only” vs “Microsoft and non-Microsoft” property. Essentially, if you are “Microsoft Only” you will only receives updates to the Secure Boot trust chain from Microsoft. This is most restrictive, but vendor specific. In my opinion, you want “Microsoft and non-Microsoft” so that you get updates from your OEM vendors as well.

These updates would be things like blacklisting bootloaders/boot vulnerabilities.

DO YOUR DUE DILLIGENCE. Don’t trust a random stranger on the Internet. Play around with the data collected for your environment and formulate your own plan. Me? I’m winging it.

My brand new machines aren’t up to date?!

Yeah. I don’t get it either. Machines fresh out of the box, current to this year, and ordered just last month are listed as “Not up to date” and missing two out of four certificates. Anyway let’s start fixin’!

Configuration Policies

In Intune, create a new Configuration Policy:

  • – Platform = Windows 10 and later
  • – Profile type: Settings Catalog

Search for “Secure Boot”. There’s three settings. Let’s break them down.

  • 1. Enable Secureboot Certificate Updates: toggle this ON.
    • You want this on so that your devices receive the remediation via Microsoft’s rollout.
  • 2. Configure High Confidence Opt Out: toggle this OFF.
    • I don’t want this, and you probably don’t either. This throws you into the bucket where only if Microsoft’s “Confidence level” (remember from before?) is high then it will apply the remediation.
  • 3. Configure Microsoft Update Managed Opt In: toggle this ON.
    • This opts your in to Microsoft’s Controlled Feature Rollout. You want this ON to have the Secure Boot remediation be downloaded, installed, and applied.

The image above shows how you want your config profile to be setup in most use cases. Again, unless you’re government or highly restrictive, you may want to tinker with these settings.

IT 101: Always pilot your config changes!

Close It Out!

Devices still need to go through the reboot process for the remediation to apply and the certs to get installed, so keep that in mind before you go frantically reviewing your reports wondering why its not showing any changes.

Give it time, well, as much time as we have until Doomsday. Don’t worry though! You’ll be fine! What’s the worst that can happen? Your org gets hit with the BlackLotus bootloader and gets ransomware.