How to Ensure devices have firmware updates that support Secure Boot 2023

Question

We are seeking clarification. Microsoft announced that Secure Boot certificates will expire in June 2026 and one of the requirements to ensure that devices continue to receive secure boot security updates is to Ensure devices have firmware updates that support Secure Boot 2023. https://support.microsoft.com/en-gb/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e

Question is, is there a way we can look at the settings on a device and determine if it meets this requirement or not? Rather than going to check each device from the manufacturer? Also, is there a way to quickly automate the collection of this data? 

 

Answer 1

Hello Gatere, I am Henry and I want to share my insight about this issue.

There is no single "Compliant: Yes/No" flag in Windows for Secure Boot 2023. Compliance depends on whether the device’s firmware (BIOS/UEFI) has been updated by the manufacturer to include the new Secure Boot certificates.

How to Check a Single Device

1. System Information (GUI):

• Press Windows Key + R, type msinfo32, and press Enter.
  • Check BIOS Version/Date, then compare against the OEM’s support site.

2. PowerShell (Command Line): Get-CimInstance -ClassName Win32_BIOS | Select-Object Manufacturer, SMBIOSBIOSVersion, ReleaseDate

• This gives manufacturer, BIOS version, and release date.
  • Note: Confirm-SecureBootUEFI only shows if Secure Boot is enabled, not if it’s 2023-compliant.

How to Automate Data Collection (for multiple devices)

• PowerShell Script: Query Win32_BIOS and Win32_ComputerSystem remotely, export results to CSV.
• Microsoft Intune (Endpoint Manager): Firmware info is collected under Devices > Hardware. Use Proactive Remediations or reporting to check at scale.
• SCCM / MECM: Hardware Inventory already gathers BIOS version. Reports or collections can identify non-compliant machines.

I hope this information is helpful.