Microsoft Intune Now Reports Secure Boot Status for IT Admins
Microsoft Intune is enhancing its capabilities for IT administrators by introducing robust reporting for Secure Boot status across managed Windows devices. This new feature provides crucial visibility into the security posture of endpoints, particularly as the 2011-era Secure Boot certificates approach their expiration in mid-2026. Understanding and managing Secure Boot is vital for maintaining system integrity and ensuring devices can receive critical security updates.
The integration of Secure Boot status reporting within the Microsoft Intune admin center marks a significant step forward in endpoint security management. Previously, obtaining this level of detail often required complex scripting or manual checks, a process that was both time-consuming and prone to error, especially in large organizations. Now, IT professionals can access a centralized dashboard to assess their fleet’s readiness and compliance with security best practices.
Understanding Secure Boot and Its Importance
Secure Boot is a fundamental security feature of the Unified Extensible Firmware Interface (UEFI) standard, designed to ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When enabled, Secure Boot verifies the digital signature of each piece of boot software, including firmware drivers and the operating system loader, before allowing it to run. This process helps protect against boot-level malware, such as rootkits and bootkits, which can compromise the entire system before the operating system even loads.
The integrity of the boot process is paramount for overall system security. By ensuring that only authenticated code is executed during startup, Secure Boot acts as a foundational layer of defense. This is particularly critical for organizations that handle sensitive data or operate in environments with high-security requirements. The reliance on digitally signed components creates a chain of trust that malicious actors cannot easily break.
Along with the Trusted Platform Module (TPM), Secure Boot is a key hardware requirement for Windows 11, underscoring Microsoft’s commitment to enhancing baseline security for modern computing devices. The combination of TPM and Secure Boot provides a robust hardware-based security foundation, enabling features like BitLocker drive encryption and Windows Hello for Business. Their presence and correct configuration are increasingly important for meeting modern security standards and compliance mandates.
The Impending Certificate Expiration and Its Ramifications
A significant catalyst for the enhanced reporting in Intune is the upcoming expiration of Microsoft’s 2011-era Secure Boot certificates. These certificates are integral to the trust chain that Secure Boot relies upon. As these certificates expire, devices that continue to rely on them may lose the ability to validate new bootloaders and receive essential security updates, potentially rendering them vulnerable to attacks and unable to install future operating system patches.
The expiration dates are staggered, with some certificates expiring in June 2026 and a critical one for the Windows Boot Manager set to expire in October 2026. This timeline necessitates proactive management by IT administrators to ensure all devices are updated to the newer 2023 certificate chain before these deadlines. Failure to do so could lead to significant security risks and operational disruptions.
The consequences of ignoring this expiration can be severe. Organizations might find their devices unable to install critical Windows security updates, leading to a compromised security posture. Furthermore, third-party software that relies on the updated certificates may not be trusted, impacting application compatibility. In essence, devices with expired certificates risk becoming untrusted and unserviceable in the pre-boot environment.
Intune’s New Secure Boot Status Report
Microsoft has introduced a dedicated Secure Boot status report within the Intune admin center, primarily accessible through the Windows Autopatch reporting section. This report offers IT administrators a consolidated view of Secure Boot adoption and readiness across their managed Windows devices. It aims to answer three key questions: which devices have Secure Boot enabled, which of those are up to date with the latest certificates, and which require certificate updates.
This report provides a device-level overview, including valuable metadata such as device name, model, OS version, Entra device ID, and manufacturer details. This comprehensive data allows administrators to understand their environment’s Secure Boot adoption rate, identify specific devices needing attention, and confidently plan firmware and BIOS update strategies. Proactively addressing Secure Boot readiness helps mitigate risks associated with outdated certificates.
The report is designed to offer a centralized, exportable view of certificate update progress, simplifying the monitoring process. While the report primarily focuses on Windows Autopatch-managed devices, its presence signifies Microsoft’s direction towards providing more granular hardware security insights directly within Intune. This moves away from relying solely on custom scripts or manual checks for such critical security information.
Configuring Secure Boot Certificate Updates via Intune
Microsoft Intune offers several methods for deploying and managing Secure Boot certificate updates. One primary approach involves utilizing the Settings Catalog within Intune’s configuration profiles. Administrators can create a new policy for Windows 10 and later, selecting “Settings Catalog” as the profile type. Within the catalog, searching for “Secure Boot” reveals three key settings: “Enable Secureboot Certificate Updates,” “Configure Microsoft Update Managed Opt In,” and “Configure High Confidence Opt-Out”.
The “Enable Secureboot Certificate Updates” policy controls whether Windows initiates the Secure Boot certificate deployment process on devices. By enabling this setting, organizations can ensure that their managed devices automatically receive and apply the necessary certificate updates as part of the regular Windows update cycle. This setting is crucial for automating the update process and maintaining compliance.
Additional settings, such as “Configure Microsoft Update Managed Opt In” and “Configure High Confidence Opt-Out,” allow for finer control over the update rollout. “Configure Microsoft Update Managed Opt In” enables participation in a controlled feature rollout managed by Microsoft, leveraging diagnostic data to identify capable devices. The “Configure High Confidence Opt-Out” setting determines whether devices validated by Microsoft can be automatically targeted during monthly cumulative updates, often requiring diagnostic data to be sent to Microsoft. Careful configuration of these settings is essential for a smooth and controlled deployment.
Leveraging Compliance Policies for Secure Boot Enforcement
Beyond reporting and direct configuration, Microsoft Intune allows IT administrators to enforce Secure Boot as a compliance requirement. By creating a device compliance policy, organizations can ensure that all enrolled Windows devices meet the Secure Boot standard. This policy serves as a critical component of a Zero Trust security model, ensuring that only compliant devices can access organizational resources.
When creating a compliance policy for Windows 10 and later devices, administrators can navigate to the “Device health” section and select “Require Secure Boot to be enabled on the device”. This setting mandates that Secure Boot must be active for a device to be considered compliant. If a device fails this check, Intune can trigger specific actions, such as notifying the user, restricting access to corporate resources via Conditional Access, or marking the device for follow-up.
It’s important to note that the “Require Secure Boot” setting’s compliance status is typically measured at boot time. Therefore, even if a device meets the Secure Boot requirement, a reboot might be necessary for Intune to accurately report its compliant status. This ensures that the enforcement is based on the actual state of the device during its startup process.
Addressing Potential Issues and Error Codes
While Intune offers powerful tools for managing Secure Boot, administrators may encounter specific issues. One notable problem was Error Code 65000, which historically blocked Secure Boot configuration settings deployment on Pro editions of Windows 10 and 11. This error, often accompanied by event logs indicating the feature is unavailable for the edition, was addressed by a Microsoft Intune licensing service update in early 2026. Devices that received their license before this update might require a license renewal to resolve the issue immediately.
Another consideration is hardware compatibility. The “Require Secure Boot” compliance setting is supported on devices with TPM 1.2 and 2.0, with TPM 2.0 and UEFI firmware being requirements for accurate reporting. Devices lacking these capabilities or running on legacy BIOS instead of UEFI may be reported as non-compliant, even if Secure Boot is technically enabled. Administrators must ensure their hardware meets these prerequisites for effective compliance monitoring.
In some instances, reporting discrepancies can occur, where a device appears non-compliant in Intune despite local verification of Secure Boot status and updated certificates. This can be due to reporting delays, as the Intune Secure Boot report relies on telemetry data that is sent periodically rather than in real-time. Patience and manual verification on the device, or using custom scripts for more immediate feedback, may be necessary while these reporting mechanisms stabilize.
Proactive Remediation and Monitoring Strategies
For organizations seeking a more proactive approach to monitoring Secure Boot certificate updates, Microsoft Intune Remediations (part of Proactive Remediations) offers a powerful solution. This feature allows administrators to deploy detection scripts that collect detailed Secure Boot and certificate status from each device and report it back to the Intune portal. Crucially, these scripts are monitoring-only and do not perform any remediation actions themselves, providing a safe way to gather data.
The benefits of using Intune Remediations for Secure Boot monitoring include device-wide visibility, exportable results in CSV format, and the ability to view raw registry values and device context information like manufacturer and BIOS version. This granular data empowers IT admins to understand certificate rollout progress, identify devices with specific issues (e.g., “With issue” status indicating a lack of 2023 certificates), and plan targeted interventions. The detection script runs silently as SYSTEM, requiring no user interaction.
This proactive monitoring approach is invaluable as the June 2026 certificate expiration deadline approaches. It allows teams to track the rollout of the 2023 certificates across their Intune-enrolled Windows devices, ensuring that all endpoints are prepared well in advance. By identifying devices that are not updating correctly, administrators can address potential firmware or BIOS update needs, which are often the root cause of failed automated updates.
The Role of Firmware and BIOS Updates
While Intune can manage the deployment of Secure Boot certificate updates through the operating system, the underlying hardware firmware and BIOS play a critical role. In many cases, devices may not be capable of processing the Secure Boot certificate updates without an accompanying firmware or BIOS update from the OEM. This is because the Secure Boot certificates are stored within the UEFI firmware itself, and the firmware must be capable of accepting these signed updates.
IT administrators must therefore coordinate firmware updates with device manufacturers to ensure successful Secure Boot readiness. When devices are not capable of accepting the OS-driven changes due to firmware limitations or bugs, OEM intervention or a specific firmware update becomes necessary. Without this hardware-level support, automated OS updates for Secure Boot certificates may fail, leading to devices remaining in a non-compliant or vulnerable state.
The Intune Secure Boot status report can help identify these hardware-dependent issues. By correlating the report’s findings with device models and firmware versions, administrators can pinpoint devices that require firmware attention. This comprehensive approach, combining OS-level management with hardware considerations, is essential for a complete Secure Boot security strategy and for avoiding issues like the persistent Error 65000 that can arise from firmware incompatibility.
Integrating Secure Boot Status with Azure AD Join
The reporting and management capabilities of Microsoft Intune for Secure Boot status are particularly powerful when integrated with Azure Active Directory (Azure AD) join. Azure AD joined devices benefit from centralized identity management and conditional access policies, which can be further enhanced by device compliance data, including Secure Boot status. This integration allows for a more granular and secure approach to resource access.
When devices are Azure AD joined and enrolled in Intune, their compliance status, including whether Secure Boot is enabled and up-to-date, can be used as a condition in Azure AD Conditional Access policies. This means that access to sensitive corporate applications and data can be granted only to devices that meet specific security requirements, such as having Secure Boot properly configured. This forms a crucial part of a Zero Trust security framework.
By leveraging the Secure Boot status report within Intune, IT administrators can ensure that Azure AD joined devices are not only identified by their user but also validated for their security posture at the hardware level. This layered security approach significantly reduces the risk of unauthorized access and data breaches, ensuring that only trusted devices with a verified secure boot process can connect to organizational resources.