I've been diving into a bunch of knowledge base articles, but I'm still not entirely certain if I need to take specific actions regarding the upcoming expiration of Secure Boot certificates in June 2026. In my environment, we primarily have devices that are either domain-joined and updated through WSUS with GPO control or managed via Intune with Microsoft updates. My confusion stems from the combination of registry keys, GPOs, firmware updates, and Windows Updates. Should I be doing something specific, or will the regular monthly cumulative and security updates handle everything? I've had some success on most systems by setting **AvailableUpdates** to **0x5944** and triggering the secure-boot-update task a few times, but the guidance around this isn't very clear. I would love to hear what others are doing about it!
7 Answers
Here’s a solid write-up outlining steps you can take: [Evil365 Secure Boot Guide](https://evil365.com/intune/SecureBoot-Cert-Expiration/). Plus, the Microsoft AMA on Secure Boot is definitely worth a listen [AMA Secure Boot](https://techcommunity.microsoft.com/event/windowsevents/ama-secure-boot/4472784) and don't forget to check out the playbook for more details [Secure Boot Playbook](https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235). It's essential to do your diligence by identifying all models in your organization, ensuring compatibility, and testing with a few devices first.
I’m in the same boat as you! I’m really curious about the best next steps here.
I recently started testing with the registry key method on a pilot group in IT, and everything has been smooth up to this point.
I’d recommend just setting up the GPO, Intune, or registry method that works best for your situation, and once you’ve restarted a couple of times, check for event ID 1808 to confirm it’s working. This process has been pretty seamless for me so far!
I pushed out the registry key after ensuring all the BIOSes were updated, and now we're good to go!
You basically have three options for handling this situation: 1. Do nothing and hope your devices are classified as high confidence by Microsoft, which means they’re known good models and firmware. If so, expect an automatic Secure Boot update in a future Cumulative Update. 2. Opt into the MicrosoftManaged approach, which requires you to set a registry key and share diagnostic data to help Microsoft determine your device's readiness. 3. Go for the enforceable route by using registry edits, GPOs, Intune, or WinCS to set the AvailableUpdates or AvailableUpdatesPolicy value to 5944. The Secure-Boot-Update scheduled task will then manage the rest; it runs every 12 hours or whenever the system is rebooted. Just remember, BIOS updates may be necessary for any of these methods to ensure success.
Right? Keeping your BIOS updated on all devices is crucial for Option 1 to work.
Honestly, it feels like we're kind of in a ‘wait and see’ situation with all the deployment methods. I set it up via Intune, but it's not functioning correctly on Windows 11 Pro devices—ours are supposed to upgrade to Enterprise. Microsoft acknowledged the issue back in December and is still looking into it. I'm holding out for the January Windows update to see if the Intune policy starts working; otherwise, I might have to manually handle the registry and task scheduling. I did manually change registry keys on a test PC, and it confirmed that the Secure Boot certificate was configured, so that might be a solid fallback option.
+1 for the script from Richard Hicks, it really helped me out!

You’re lucky! I set the 0x5944 registry value, and I see progress in the registry, but it just stalls for days. Not sure what else to try other than patience.