Secure Boot Certificate Updates for Windows 365

Introduction

Secure Boot is an UEFI firmware security feature that helps ensure only trusted, digitally signed software runs during a device boot sequence. The Microsoft Secure Boot certificates issued in 2011 begin expiring in June 2026. Without the updated 2023 certificates, devices will no longer receive new Secure Boot and Boot Manager protections or mitigations for newly discovered boot-level vulnerabilities.

All Secure Boot enabled Cloud PCs provisioned in the Windows 365 service, and custom images used to provision them, must be updated to the 2023 certificates before expiration to remain protected. See When Secure Boot certificates expire on Windows devices.

Does this apply to my Windows 365 environment?

Scenario	Secure Boot Active?	Action Required
Cloud PCs
Cloud PC with Secure Boot enabled	Yes	Update certificates on the Cloud PC
Cloud PC with Secure Boot disabled	No	No action needed
Images
Azure Compute Gallery image with Secure Boot enabled	Yes	Update certificates in the source image before generalizing
Azure Compute Gallery image without Trusted Launch	No	Apply updates in Cloud PC after provisioning
Managed image (does not support Trusted Launch)	No	Apply updates in Cloud PC after provisioning

For complete background information, see Secure Boot certificate updates: Guidance for IT professionals and organizations.

Inventory and Monitor

Before taking action, inventory your environment to identify devices that require updates. Monitoring is essential to confirm certificates are applied before the June 2026 deadline—even if you rely on automatic deployment methods. Below are options to determine if action needs to be taken.

Option 1: Microsoft Intune Remediations

For Cloud PCs enrolled in Microsoft Intune, you can deploy a detection script using Intune Remediations (Proactive Remediations) to automatically collect Secure Boot certificate status across your fleet. The script runs silently on each device and reports Secure Boot status, certificate update progress, and device details back to the Intune portal — no changes are made to the devices. Results can be viewed and exported to CSV directly from the Intune admin center for fleet-wide analysis.

For step-by-step instructions on deploying the detection script, see Monitoring Secure Boot Certificate Status with Microsoft Intune Remediations.

Option 2: Windows Autopatch Secure Boot Status Report

For Cloud PCs registered with Windows Autopatch, go to Intune admin center > Reports > Windows Autopatch > Windows quality updates > Reports tab > Secure Boot status. See Secure Boot status report in Windows Autopatch.

Note: To use Windows Autopatch with Windows 365, Cloud PCs must be registered with the Windows Autopatch service. See Windows Autopatch on Windows 365 Enterprise workloads.

Option 3: Registry Keys for Fleet Monitoring

Use your existing device management tools to query these registry values across your fleet.

Registry Path	Key	Purpose
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\SecureBoot\Servicing	UEFICA2023Status	Current deployment status
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\SecureBoot\Servicing	UEFICA2023Error	Indicates errors (should not exist)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\SecureBoot\Servicing	UEFICA2023ErrorEvent	Indicates Event ID (should not exist)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\SecureBoot	AvailableUpdates	Pending update bits

For full registry key details, see Registry key updates for Secure Boot.

Option 4: Event Log Monitoring

Use your existing device management tools to collect and monitor these event IDs from the System event log across your fleet.

Event ID	Location	Meaning
1808	System	Certificates successfully applied
1801	System	Update status or error details

For a full list of event details, see Secure Boot DB and DBX variable update events.

Option 5: PowerShell Inventory Script

Run Microsoft’s Sample Secure Boot Inventory Data Collection script to check Secure Boot certificate update status. The script collects several data points including Secure Boot state, UEFI CA 2023 update status, firmware version, and event log activity.

Deployment

Important: Regardless of which deployment option you choose, we recommend monitoring your device fleet to confirm certificates are successfully applied before the June 2026 deadline. For custom images, see Custom Image Considerations.

Option 1: Automatic Updates from Windows Update (High-Confidence Devices)

Microsoft automatically updates devices through Windows monthly updates when sufficient telemetry confirms successful deployment on similar hardware configurations.

Status: Enabled by default for high-confidence devices
No action required unless you want to opt out

Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
Key	HighConfidenceOptOut = 1 to opt out
Group Policy	Computer Configuration > Administrative Templates > Windows Components > Secure Boot > Automatic Certificate Deployment via Updates > Set to Disabled to opt out

Recommendation: Even with automatic updates enabled, monitor your Cloud PCs to verify certificates are applied. Not all devices may qualify for high-confidence automatic deployment.

For more information, see Automated deployment assists.

Option 2: IT-Initiated Deployment

Manually trigger certificate updates for immediate or controlled rollout.

Method	Documentation
Microsoft Intune	Microsoft Intune method
Group Policy	GPO method
Registry Keys	Registry key method
WinCS CLI	WinCS APIs

Notes:

Do not mix IT-initiated deployment methods (e.g., Intune and GPO) on the same device—they control the same registry keys and may conflict.
Allow approximately 48 hours and one or more restarts for certificates to fully apply.

Custom Image Considerations

Custom images are fully managed by your organization. You are responsible for applying the Secure Boot certificate updates to the custom image and re-uploading it before using it for provisioning.

Applying Secure Boot certificate updates to the source image is only supported with Azure Compute Gallery images (preview), which support Trusted Launch and Secure Boot. Managed images do not support Secure Boot, so certificate updates cannot be applied at the image level. For Cloud PCs provisioned from managed images, apply updates directly on the Cloud PC using one of the deployment methods above.

Before generalizing a new custom image, verify certificates are updated:

Get-ItemProperty "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" | Select-Object UEFICA2023Status

Known Issues

Servicing registry key does not exist

Symptom	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing path does not exist
Cause	Certificate updates have not been initiated on the device
Resolution	Wait for automatic deployment via Windows Update, or manually initiate using one of the IT-initiated deployment methods above

Status shows “InProgress” for extended period

Symptom	UEFICA2023Status remains “InProgress” after multiple days
Cause	Device may need a restart to complete the update process
Resolution	Restart the Cloud PC and check status again after 15 minutes. If the issue persists, see Secure Boot DB and DBX variable update events for troubleshooting guidance

UEFICA2023Error registry key exists

Symptom	UEFICA2023Error registry key is present
Cause	An error occurred during certificate deployment
Resolution	Check System event log for details. See Secure Boot DB and DBX variable update events for troubleshooting guidance