Secure Boot Certificate Updates for Windows 365

Note

  • Original publish date: February 19, 2026
  • KB ID: 5080914

Note

This article has guidance for:

  • Windows 365 administrators managing Cloud PCs.

  • Organizations using Secure Boot enabled Cloud PCs for Windows 365 deployments.

  • Organizations using custom images for Windows 365 deployments .

In this article:

Introduction

Secure Boot is an UEFI firmware security feature that helps ensure only trusted, digitally signed software runs during a device boot sequence. The Microsoft Secure Boot certificates issued in 2011 begin expiring in June 2026. Without the updated 2023 certificates, devices will no longer receive new Secure Boot and Boot Manager protections or mitigations for newly discovered boot-level vulnerabilities.

All Secure Boot enabled Cloud PCs provisioned in the Windows 365 service, and custom images used to provision them, must be updated to the 2023 certificates before expiration to remain protected. See When Secure Boot certificates expire on Windows devices.

Does this apply to my Windows 365 environment?

Scenario Secure Boot Active? Action Required
Cloud PCs
Cloud PC with Secure Boot enabled Yes Update certificates on the Cloud PC
Cloud PC with Secure Boot disabled No No action needed
Images
Azure Compute Gallery image with Secure Boot enabled Yes Update certificates in the source image before generalizing
Azure Compute Gallery image without Trusted Launch No Apply updates in Cloud PC after provisioning
Managed image (does not support Trusted Launch) No Apply updates in Cloud PC after provisioning

For complete background information, see Secure Boot certificate updates: Guidance for IT professionals and organizations.

Inventory and Monitor

Before taking action, inventory your environment to identify devices that require updates. Monitoring is essential to confirm certificates are applied before the June 2026 deadline—even if you rely on automatic deployment methods. Below are options to determine if action needs to be taken.

Option 1: Microsoft Intune Remediations

For Cloud PCs enrolled in Microsoft Intune, you can deploy a detection script using Intune Remediations (Proactive Remediations) to automatically collect Secure Boot certificate status across your fleet. The script runs silently on each device and reports Secure Boot status, certificate update progress, and device details back to the Intune portal — no changes are made to the devices. Results can be viewed and exported to CSV directly from the Intune admin center for fleet-wide analysis.

For step-by-step instructions on deploying the detection script, see Monitoring Secure Boot Certificate Status with Microsoft Intune Remediations.

Option 2: Windows Autopatch Secure Boot Status Report

For Cloud PCs registered with Windows Autopatch, go to Intune admin centerReports > Windows Autopatch > Windows quality updates > Reports tabSecure Boot status. See Secure Boot status report in Windows Autopatch.

Note: To use Windows Autopatch with Windows 365, Cloud PCs must be registered with the Windows Autopatch service. See Windows Autopatch on Windows 365 Enterprise workloads.

Option 3: Registry Keys for Fleet Monitoring

Use your existing device management tools to query these registry values across your fleet.

Registry Path Key Purpose
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\SecureBoot\Servicing
UEFICA2023Status Current deployment status
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\SecureBoot\Servicing
UEFICA2023Error Indicates errors (should not exist)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\SecureBoot\Servicing
UEFICA2023ErrorEvent Indicates Event ID (should not exist)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\SecureBoot
AvailableUpdates Pending update bits

For full registry key details, see Registry key updates for Secure Boot.

Option 4: Event Log Monitoring

Use your existing device management tools to collect and monitor these event IDs from the System event log across your fleet.

Event ID Location Meaning
1808 System Certificates successfully applied
1801 System Update status or error details

For a full list of event details, see Secure Boot DB and DBX variable update events.

Option 5: PowerShell Inventory Script

Run Microsoft’s Sample Secure Boot Inventory Data Collection script to check Secure Boot certificate update status. The script collects several data points including Secure Boot state, UEFI CA 2023 update status, firmware version, and event log activity.

Deployment

Important

Regardless of which deployment option you choose, we recommend monitoring your device fleet to confirm certificates are successfully applied before the June 2026 deadline. For custom images, see Custom Image Considerations.

Option 1: Automatic Updates from Windows Update (High-Confidence Devices)

Microsoft automatically updates devices through Windows monthly updates when sufficient telemetry confirms successful deployment on similar hardware configurations.

  • Status: Enabled by default for high-confidence devices
  • No action required unless you want to opt out
Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
Key HighConfidenceOptOut = 1 to opt out
Group Policy Computer Configuration > Administrative Templates > Windows Components > Secure Boot > Automatic Certificate Deployment via Updates > Set to Disabled to opt out

Note

Recommendation: Even with automatic updates enabled, monitor your Cloud PCs to verify certificates are applied. Not all devices may qualify for high-confidence automatic deployment.

For more information, see Automated deployment assists.

Option 2: IT-Initiated Deployment

Manually trigger certificate updates for immediate or controlled rollout.

Method Documentation
Microsoft Intune Microsoft Intune method
Group Policy GPO method
Registry Keys Registry key method
WinCS CLI WinCS APIs

Note

  • Do not mix IT-initiated deployment methods (e.g., Intune and GPO) on the same device—they control the same registry keys and may conflict.
  • Allow approximately 48 hours and one or more restarts for certificates to fully apply.

Custom Image Considerations

Custom images are fully managed by your organization. You are responsible for applying the Secure Boot certificate updates to the custom image and re-uploading it before using it for provisioning.

Applying Secure Boot certificate updates to the source image is only supported with Azure Compute Gallery images (preview), which support Trusted Launch and Secure Boot. Managed images do not support Secure Boot, so certificate updates cannot be applied at the image level. For Cloud PCs provisioned from managed images, apply updates directly on the Cloud PC using one of the deployment methods above.

Before generalizing a new custom image, verify certificates are updated:

Note

Get-ItemProperty "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" | Select-Object UEFICA2023Status

Known Issues

Servicing registry key does not exist

Symptom HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing path does not exist
Cause Certificate updates have not been initiated on the device
Resolution Wait for automatic deployment via Windows Update, or manually initiate using one of the IT-initiated deployment methods above

Status shows “InProgress” for extended period

Symptom UEFICA2023Status remains “InProgress” after multiple days
Cause Device may need a restart to complete the update process
Resolution Restart the Cloud PC and check status again after 15 minutes. If the issue persists, see Secure Boot DB and DBX variable update events for troubleshooting guidance

UEFICA2023Error registry key exists

Symptom UEFICA2023Error registry key is present
Cause An error occurred during certificate deployment
Resolution Check System event log for details. See Secure Boot DB and DBX variable update events for troubleshooting guidance

Resources