Applying Secure Boot certificate update settings using model-based targeting in Microsoft Intune

In this Article:

• Introduction

• Prerequisites

• Step 1 - Configure Secure Boot certificate update settings in Intune (Settings catalog)

• Step 2 - Create an assignment filter for model-based targeting

• Step 3 - Assign the policy using the assignment filter

• Frequently Asked Questions

• Resources

Introduction

This guidance helps IT administrators enable the Secure Boot certificate update process using Microsoft Intune Settings catalog policies. It outlines how to configure the Secure Boot setting that enables the certificate update process and how to deploy that configuration. It also highlights how to use model‑based assignment filters to support controlled, staged rollouts on hardware that has already been validated to handle the update successfully.

Prerequisites

Secure Boot certificate update eligibility is determined by the Secure Boot Policy CSP and device firmware. This scope doesn’t always align with Windows servicing (i.e., updates) timelines or Intune enrollment requirements.

Intune and policy prerequisites

• Sign in with an account that has permissions to create filters and create/assign Settings Catalog policies.

• Devices must be enrolled in Intune (assignment filters apply only to managed devices).

Secure Boot eligibility prerequisites

• The list of supported Windows versions is available in Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates.

• Devices must have Secure Boot enabled and should be on a current servicing update.

Step 1 - Configure Secure Boot certificate update settings in Intune (Settings catalog)

In this step, you create a Windows Settings catalog device configuration profile in Microsoft Intune. You also configure the Secure Boot settings that enable the Secure Boot certificate update process.

What you will create

A Windows Settings catalog device configuration profile that enables the Enable Secure Boot Certificate Updates:

Create the Settings catalog profile

1. Sign in to the Microsoft Intune admin center.

2. Go to Devices > Manage devices > Configuration.

3. Select Create > New policy.

4. In Create a profile:

5. Platform: Windows 10 and later

6. Profile type: Settings catalog

7. Select Create.

8. Name the profile (e.g., Secure Boot Certificate Update), add an optional description, and select Next.

9. On Configuration settings, select Add settings.

10. In the settings picker, search for Secure Boot and select it under Browse by category.

11. Add the Enable Secure Boot Certificate Updates setting from the three presented in the Secure Boot category to the profile.

    Note: You can configure the other Secure Boot settings in this category in the same way if your deployment scenario requires them.

12. Configure the setting value to Enabled.

13. Select Next to continue to the assignments. (You will apply a filter in Step 3).

Step 2 - Create an assignment filter for model ‑based targeting

Next, you create an Intune assignment filter that targets specific device models. Model-based targeting allows you to scope Secure Boot certificate updates to selected hardware models. This controlled and staged deployment doesn’t require additional Microsoft Entra ID groups.

Why model-based targeting is recommended for Secure Boot certificate deployment

• Firmware variability - OEMs implement Secure Boot differently, so model-level scoping reduces unexpected behavior.

• Prior validation - You can validate certificate updates on a known good hardware set before broad rollout.

What you will create

A Managed devices assignment filter that targets (or excludes) specific device models.

Create the assignment filter

1. Sign in to the Microsoft Intune admin center.

2. Go to Tenant administration > Assignment filters > Create.

3. Select Managed devices.

4. In Basics, set:

   • Filter name (descriptive).

   • Description (optional, but recommended).

   • Platform: Windows 10 and later.

5. Select Next.

6. In Rules, choose one approach:

   • Rule builder (recommended for most admins)

   • Rule syntax (manual expression editing)

Build a model-based rule (rule builder)

1. In Rule builder, select the model property.

2. Choose an operator.

3. Enter the model string(s) you want to match.

4. Select Add expression to add it to the rule.

5. If needed, use And/Or to extend the rule to additional models or to add additional criteria based on other possible filterable properties.

Preview and create the filter

1. Select Preview devices to confirm which enrolled devices match.

2. Select Next.

3. (Optional) Assign Scope tags if you use them.

4. Select Next.

5. In Review + create, select Create.

Step 3 - Assign the policy using the assignment filter

Finally, you assign the Settings catalog profile to a device or user group and apply the assignment filter. This determines which enrolled devices receive and process the Secure Boot certificate update settings during policy evaluation.

What you will do

You will assign the Secure Boot Settings catalog profile from Step 1 to a group, then apply the filter from Step 2 in Include or Exclude mode.

Apply the assignment filter

1. In the Microsoft Intune admin center, navigate to Devices > Manage devices > Configuration.

2. Select the Settings catalog profile you created in Step 1 above.

3. Open Properties > Assignments > Edit.

4. Assign the profile to the appropriate user group or device group.

   Tip: If you don’t have any other criteria to limit targeting, assign this policy to the All devices virtual group. Use the device model assignment filter from Step 2 to scope the assignment. This combination is sufficient for most deployments. The All devices virtual group is built in, requires no group maintenance, and is optimized for scale. Then, the assignment filter narrows applicability at device check-in based on device properties, without requiring additional Microsoft Entra groups.

5. Select Edit filter.

6. Choose one:

   • Include filtered devices in assignment: only devices that match the filter receive the policy.

   • Exclude filtered devices in assignment: devices that match the filter don’t receive the policy.

7. Select your existing assignment filter from Step 2 and choose Select.

8. Select Review + save > Save.

Understand device behavior

• Intune evaluates the filter when the device enrolls, each time it checks in, and whenever the assigned policy is re‑evaluated.

• Enabling the Secure Boot setting doesn’t guarantee immediate certificate application. For the Secure Boot setting that triggers the update process, the Windows Secure Boot task runs every 12 hours. Some updates can require a restart.

Frequently Asked Questions

Resources

• Settings definitions and allowed values: SecureBoot Policy CSP

• Settings catalog flow and setting behavior: Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates ​​​​​​​

• Background and timelines: Windows Secure Boot certificate expiration and CA updates ​​​​​​​

• Create, preview, and apply filters: Create assignment filters in Microsoft Intune ​​​​​​​

• Supported properties, operators, and syntax: Assignment filter properties and operators reference ​​​​​​​

• Overall rollout planning and Intune called out as a recommended option: Secure Boot playbook for certificates expiring in 2026 ​​​​​​​

• Monitoring-only approach and Intune reporting)​​​​​​: Monitoring Secure Boot certificate status with Microsoft Intune remediations ​​​​​​​