Microsoft has made it easier for IT administrators to monitor Secure Boot status.
Microsoft has added a new tool for IT administrators that allows them to monitor the status of Secure Boot on all Windows devices in their organization. This is especially relevant now that Windows certificates are about to expire, potentially leaving devices vulnerable to attack.
Secure Boot is a Windows security feature that ensures your computer boots using verified firmware and a trusted bootloader. Along with the Trusted Platform Module (TPM), it is a mandatory requirement for Windows 11. The feature was introduced in 2011, but after 15 years, its certifications are expiring, requiring administrators to check their status and renew them.
To check, they can go to the Microsoft Intune Admin Center > Reports > Windows Automatic Updates > Windows Quality Updates. In the Reports tab, admins can select "Secure Boot status," which will show which devices have this setting enabled and how many are fully updated. If necessary, they can drill down to see which certificates are out of date and require updating. However, this report only works for devices managed through Windows Autopatch.
The report contains detailed device metadata, including device name and model, operating system version, Entra ID, motherboard and device manufacturer, firmware version, and other information. This helps administrators understand the level of Secure Boot implementation within their organization, identify devices requiring certificate updates, confidently plan a firmware and BIOS update strategy, and proactively mitigate boot security risks.
Microsoft has added a new tool for IT administrators that allows them to monitor the status of Secure Boot on all Windows devices in their organization. This is especially relevant now that Windows certificates are about to expire, potentially leaving devices vulnerable to attack.
Secure Boot is a Windows security feature that ensures your computer boots using verified firmware and a trusted bootloader. Along with the Trusted Platform Module (TPM), it is a mandatory requirement for Windows 11. The feature was introduced in 2011, but after 15 years, its certifications are expiring, requiring administrators to check their status and renew them.
To check, they can go to the Microsoft Intune Admin Center > Reports > Windows Automatic Updates > Windows Quality Updates. In the Reports tab, admins can select "Secure Boot status," which will show which devices have this setting enabled and how many are fully updated. If necessary, they can drill down to see which certificates are out of date and require updating. However, this report only works for devices managed through Windows Autopatch.
The report contains detailed device metadata, including device name and model, operating system version, Entra ID, motherboard and device manufacturer, firmware version, and other information. This helps administrators understand the level of Secure Boot implementation within their organization, identify devices requiring certificate updates, confidently plan a firmware and BIOS update strategy, and proactively mitigate boot security risks.
