Applies To
Windows 10 Windows 10, version 1607, all editions Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows 10 Enterprise LTSC 2021 Windows 10 IoT Enterprise LTSC 2021 Windows 10, version 22H2, all editions Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows 11 SE, version 23H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 SE, version 24H2 Windows 11 Enterprise and Education, version 24H2 Windows 11 Enterprise Multi-Session, version 24H2 Windows 11 Home and Pro, version 24H2 Windows 11 IoT Enterprise, version 24H2 Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025

​​​​​​​Original publish date: March 23, 2026

KB ID: 5085790

This article provides the latest information and status for known issues in Windows or Microsoft Intune related to Secure Boot certificates.

For problems deploying Secure Boot certificates that are not caused by known issues in Windows or Microsoft Intune, please refer to the Secure Boot troubleshooting guide.

In this article

Known issues when deploying Secure Boot certificates

Secure Boot certificate updates might log Event ID 1795 on Azure Trusted Launch virtual machines

Symptoms

On some Azure Trusted Launch (Gen2) virtual machines, Secure Boot certificate updates might not complete when attempting to update the Key Exchange Key (KEK).

In these cases, the following may be observed:

  • Event ID 1795 is logged in the System event log.

  • Error messages indicating that the system firmware returned an error while attempting to update a Secure Boot variable.

  • The KEK update remains in progress or does not complete.

Cause This issue affects certain long‑running Azure virtual machines where Secure Boot variables are maintained by the platform firmware.

In these environments, updates to Secure Boot variables such as KEK depend on coordination between the guest operating system and the Azure host platform. Under specific conditions, this coordination can prevent the KEK update from completing successfully.

Status At this time, there is no required customer action. A resolution that addresses this issue will be delivered through future updates.

Microsoft Intune Error Code 65000 on Pro editions of Windows 

Symptoms

Secure Boot configuration settings deployed through Microsoft Intune Mobile Device Management (MDM) are currently blocked on Pro editions of Windows 10 and Windows 11.

  • Attempts to apply these policies result in Microsoft Intune Error Code 65000.

  • Event logs might record POLICYMANAGER_E_AREAPOLICY_NOTAPPLICABLEINEDITION, indicating the feature is unavailable on this edition.

Resolution

The Microsoft Intune licensing service was updated on January 27, 2026, to allow Secure Boot configuration settings deployment on Pro editions of Windows 10 and Windows 11.

Note: Microsoft Intune Error Code 65000 might still occur on Pro editions of Windows 11, version 23H2. A resolution for this issue is planned to be released in a future Windows update.

Devices that received their Microsoft Intune license before this date will need to renew their license to resolve this issue.  Licenses are automatically renewed every month, so this issue will be resolved for devices by February 27, 2026 (excluding some Windows 11, version 23H2 devices, as noted above). To renew the license on your device manually, run the following commands on the user's behalf (under the user's context):

  • ClipDLS.exe removesubscription

  • ClipRenew.exe

back to top 

Resolved issues

Secure Boot certificate updates might fail with Event ID 1795 on Hyper‑V virtual machines

Symptom

On some Hyper‑V virtual machines, Secure Boot certificate updates might fail when updating the Key Exchange Key (KEK). In these cases, the update does not complete and an error such as “The system firmware returned an error: The media is write protected” might be logged (Event ID 1795). 

Resolution

This issue is addressed in Windows updates released on and after March 10, 2026, except for Windows Server 2025, which is addressed in Windows updates released on and after April 14, 2026.

Important: To resolve this issue, you must deploy the fix on both the host and the guest.

  • If you are managing the host Hyper-V server, install the latest Windows updates on both the guest and the host.

  • Azure environments

    If the host is managed by Azure, install the March 2026 Windows update or a later update on the guest VM.

    For VMs using hotpatching, install the April 2026 release that includes the fix outside of hotpatching.

  • ​​​​​​​Azure Local

    For Azure Local devices, install the Azure 2603 security update or a later update.

back to top  

Change Log

Change Date

Change Description

April 27, 2026

  • Added the known issue, "Secure Boot certificate updates might log Event ID 1795 on Azure Trusted Launch virtual machines".

April 17, 2026

Revised the second bullet point in the "Resolution" section of the "Secure Boot certificate updates might fail with Event ID 1795 on Hyper‑V virtual machines" resolved issue.From: 

  • If the host is managed by Azure, install the latest Windows updates on the guest, and the resolution is included in the Azure 2603 security update, and later updates.

To: 

  • Azure environments If the host is managed by Azure, install the March 2026 Windows update or a later update on the guest VM. For VMs using hotpatching, install the April 2026 release that includes the fix outside of hotpatching.

  • ​​​​​​​Azure Local ​​​​​​​For Azure Local devices, install the Azure 2603 security update or a later update.

April 16, 2026

  • Updated the resolution to include when the update for Windows Server 2025 was released for the known issue "Secure Boot certificate updates might fail with Event ID 1795 on Hyper‑V virtual machines".

March 30, 2026

  • Resolved the known issue, "Secure Boot certificate updates might fail with Event ID 1795 on Hyper‑V virtual machines"

back to top   

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center