Secure Boot has been a pretty hot topic for Microsoft lately, especially since Windows certificates are set to expire later this year. Without them being updated, the operating system cannot apply certain updates, which means that your device is vulnerable to malicious attacks. Now, Microsoft is making it easier for IT admins to monitor the state of Secure Boot across their fleet of devices.
For those unaware, Secure Boot is a security feature in Windows that your PC boots using verified firmware and a trusted bootloader. Along with Trusted Platform Module (TPM), it is a hardware requirement for Windows 11. The feature first launched in 2011, but after 15 years, its certificates are expiring, which means that now is a good time for IT admins to figure out the status of this feature across their organization and also update certificates.
IT admins can simply head over to the Intune admin center and navigate to Reports > Windows Autopatch > Windows quality updates. Under the Reports tab, they will be able to select Secure Boot status, which will allow them to see which devices have Secure Boot enabled, how many of them are fully up to date, and identify the resources that need certificate updates. If you notice that Secure Boot certificates are out of date, you can drill drown further to see exactly which certificates are outdated. That said, this report only applies to Windows Autopatch-managed devices.
This Secure Boot report contains a lot of default and optional metadata about devices, including device name and model, OS version, Entra device ID, system board and device manufacturer, firmware version, and more. It helps IT admins in the following areas:
- Understand Secure Boot adoption across their environment
- Identify Secure Boot-enabled devices that need certificate updates
- Plan firmware and BIOS update strategies with confidence
- Reduce risk by addressing Secure Boot readiness proactively
Of course, if a device does not have Secure Boot enabled at all, no action is required. Alternatively, if you"re a regular Windows user and not an IT admin, you can find out how to enable Secure Boot using our dedicated guide here.