Applies To
Windows 10 Windows 10, version 1607, all editions Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows 10 Enterprise LTSC 2021 Windows 10 IoT Enterprise LTSC 2021 Windows 10, version 22H2, all editions Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows 11 SE, version 23H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 SE, version 24H2 Windows 11 Enterprise and Education, version 24H2 Windows 11 Enterprise Multi-Session, version 24H2 Windows 11 Home and Pro, version 24H2 Windows 11 IoT Enterprise, version 24H2 Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025

​​​​​​​Original publish date: March 23, 2026

KB ID: 5085790

This article provides the latest information and status for known issues in Windows or Microsoft Intune related to Secure Boot certificates.

For problems deploying Secure Boot certificates that are not caused by known issues in Windows or Microsoft Intune, please refer to the Secure Boot troubleshooting guide.

Known issues when deploying Secure Boot certificates

Symptoms

Secure Boot configuration settings deployed through Microsoft Intune Mobile Device Management (MDM) are currently blocked on Pro editions of Windows 10 and Windows 11.

  • Attempts to apply these policies result in Microsoft Intune Error Code 65000.

  • Event logs might record POLICYMANAGER_E_AREAPOLICY_NOTAPPLICABLEINEDITION, indicating the feature is unavailable on this edition.

Resolution

The Microsoft Intune licensing service was updated on January 27, 2026, to allow Secure Boot configuration settings deployment on Pro editions of Windows 10 and Windows 11.

Note: Microsoft Intune Error Code 65000 might still occur on Pro editions of Windows 11, version 23H2. A resolution for this issue is planned to be released in a future Windows update.

Devices that received their Microsoft Intune license before this date will need to renew their license to resolve this issue.  Licenses are automatically renewed every month, so this issue will be resolved for devices by February 27, 2026 (excluding some Windows 11, version 23H2 devices, as noted above). To renew the license on your device manually, run the following commands on the user's behalf (under the user's context):

  • ClipDLS.exe removesubscription

  • ClipRenew.exe

Symptom

On some Hyper‑V virtual machines, Secure Boot certificate updates might fail when updating the Key Exchange Key (KEK). In these cases, the update does not complete and an error such as “The system firmware returned an error: The media is write protected” might be logged (Event ID 1795). 

Resolution

This issue is addressed in Windows updates released on and after March 10, 2026.

Important: To resolve this issue, you must deploy the fix on both the host and the guest.

  • If you are managing the host Hyper-V server, install the latest Windows updates on both the guest and the host.

  • If the host is managed by Azure, install the latest Windows updates on the guest, and the resolution will be included in the Azure 2603 release, later in March 2026.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center