Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
What is Secure Boot?
Secure Boot is a core Windows security feature that helps protect devices from malicious software during startup. When Secure Boot is enabled, the system firmware (UEFI) verifies that only trusted, digitally signed components are allowed to load as the device starts. This helps prevent boot-level malware and ensures that Windows starts using known good, securely signed code.
Secure Boot relies on digital certificates that are stored in the system firmware. These certificates must remain up to date to ensure continued protection and compatibility with Windows security updates.
Why Secure Boot status matters
As Windows security evolves, some Secure Boot certificates are updated or replaced to address emerging threats and strengthen platform protections. Devices that have Secure Boot enabled but are missing required certificate updates may encounter compatibility or security issues over time.
The Secure Boot status report in Windows Autopatch is designed to help IT admins understand the Secure Boot posture of their fleet and identify devices that may require attention—before issues occur.
Learn more about Windows Secure Boot certificate expiration and CA updates.
Secure Boot status report overview
The Secure Boot status report provides a device-level view of Secure Boot across your Windows Autopatch-managed devices. It helps answer three key questions:
- Which devices have Secure Boot enabled?
- Which Secure Boot-enabled devices are fully up to date?
- Which Secure Boot-enabled devices need certificate updates?
For each device, the report shows whether Secure Boot is enabled or not. Devices that do not have Secure Boot enabled do not require any action.
To locate this report:
- Go to the Intune admin center.
- Navigate to Reports > Windows Autopatch > Windows quality updates.
- Select the Reports tab.
- Select Secure Boot status.
Devices with Secure Boot enabled
For devices where Secure Boot is enabled, the report further indicates whether the device’s Secure Boot certificates are up to date.
- If a device is Secure Boot enabled and up to date, no action is required.
- If a device is Secure Boot enabled but not up to date, action is required to update the device’s Secure Boot certificates to the 2023 versions. Learn more about guidance for IT professionals and organizations for Secure Boot certificate updates.
Devices without Secure Boot enabled
If a device does not have Secure Boot enabled, no action is required from a Secure Boot certificate readiness perspective. These devices are included in the report for visibility, but Secure Boot certificate updates apply only to devices where Secure Boot is enabled.
How this report helps IT admins
The Secure Boot status report helps IT admins:
- Understand Secure Boot adoption across their environment
- Identify Secure Boot-enabled devices that need certificate updates
- Plan firmware and BIOS update strategies with confidence
- Reduce risk by addressing Secure Boot readiness proactively
By centralizing this information in Windows Autopatch, admins can more easily monitor Secure Boot readiness and take informed, targeted action where needed—without unnecessary remediation or guesswork.
Interpreting Secure Boot certificate status
As you use this report to assess Secure Boot readiness across your environment, it’s important to understand how Secure Boot certificate status is evaluated and how to interpret the results.
Some administrators compare Secure Boot certificate readiness shown in this report with results from custom scripts or firmware inspection tools and notice differences. These differences are often expected and do not indicate an issue with the report.
Secure Boot certificate readiness is determined by a device’s firmware trust configuration, rather than by device manufacturer alone. Windows Autopatch evaluates certificate applicability based on how the device is configured to trust boot components, rather than requiring a uniform set of Secure Boot certificates across all devices.
For example, a device that is configured to trust only Microsoft‑signed boot components may be reported as up to date, even if non-Microsoft Secure Boot certificates aren't present. In this scenario, non-Microsoft certificates aren't applicable to that device’s boot configuration.
When validating Secure Boot certificate status, ensure that any comparison accounts for the device’s firmware trust configuration. Comparing certificate presence without considering the active boot configuration can lead to incorrect conclusions about device readiness.
No action is required if a device is reported as up to date in the Secure Boot status report.
Secure Boot status report columns
The Secure Boot status report includes a set of default columns that are shown for all customers, as well as optional columns that can be added to the view for deeper hardware and firmware insight.
Default columns
These columns are shown by default and are designed to help IT admins quickly understand Secure Boot coverage and certificate readiness across their devices.
| Column name | Description |
|---|---|
| Device name | The name of the device. |
| OS version | The Windows operating system version running on the device. |
| Microsoft Entra device ID | The Microsoft Entra device ID associated with the device. |
| Secure Boot enabled | Indicates whether Secure Boot is enabled on the device. |
| Certificate status | An aggregate status showing whether Secure Boot certificates on the device are Up to date, Not up to date, or Not applicable. |
| Device model | The commercial model of the device. |
Optional columns
These columns can be added to the report to provide more detailed hardware and firmware context. They are helpful for troubleshooting, hardware correlation, and advanced analysis, but aren't required for understanding Secure Boot status.
| Column name | Description |
|---|---|
| Device manufacturer | The device manufacturer reported by the OEM. |
| System board manufacturer | The manufacturer of the device’s system board (motherboard). |
| Model family | The device product family or product line. |
| System board model | The specific system board model used in the device. |
| System board version | The version or revision of the system board. |
| Device SKU | The OEM SKU that identifies a specific hardware configuration. |
| Firmware manufacturer | The manufacturer of the device’s firmware (BIOS/UEFI). |
| Firmware version | The currently installed firmware (BIOS/UEFI) version. |
| Firmware release date | The release date of the installed firmware version. |
Data freshness, reporting latency, and diagnostic data requirements
The Secure Boot status report is based on Secure Boot related events reported by devices after startup. As a result, changes to Secure Boot state or certificate status might not appear immediately in the report.
After Secure Boot certificates are updated and the device is restarted, it can take up to 12 hours for the updated status to be processed and reflected in the Secure Boot status report.
If a device shows Not up to date, Not applicable, or Unknown shortly after remediation, this doesn't indicate a failure. Allow time for the device to complete reporting before taking additional action.
The Secure Boot status report also depends on successful reporting and processing of Secure Boot diagnostic data. If a device isn't configured to share the required (basic) Windows diagnostic data, Secure Boot events might not be reported, and the device might appear as Unknown or Not applicable in the report. In this case, the report doesn't indicate an error or misconfiguration; it indicates that no Secure Boot diagnostic data has been received for the device.
To help ensure accurate and complete reporting, configure devices to share the required Windows diagnostic data. Check that the tenant has the Data Processor Service for Windows (DPSW) enabled.
Recent improvements to the report
The Secure Boot status report has been updated to improve completeness and consistency of the data presented.
- The report no longer limits the number of devices that can be displayed.
- Exported report data now includes all applicable devices.
- Exported data now reflects the same values shown in the report.
These improvements ensure that both the report view and exported data provide a complete and consistent representation of Secure Boot status across your device fleet.