Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
What is Secure Boot?
Secure Boot is a core Windows security feature that helps protect devices from malicious software during startup. When Secure Boot is enabled, the system firmware (UEFI) verifies that only trusted, digitally signed components are allowed to load as the device starts. This helps prevent boot-level malware and ensures that Windows starts using known good, securely signed code.
Secure Boot relies on digital certificates that are stored in the system firmware. These certificates must remain up to date to ensure continued protection and compatibility with Windows security updates.
Why Secure Boot status matters
As Windows security evolves, some Secure Boot certificates are updated or replaced to address emerging threats and strengthen platform protections. Devices that have Secure Boot enabled but are missing required certificate updates may encounter compatibility or security issues over time.
The Secure Boot status report in Windows Autopatch is designed to help IT admins understand the Secure Boot posture of their fleet and identify devices that may require attention—before issues occur.
Learn more about Windows Secure Boot certificate expiration and CA updates.
Secure Boot status report overview
The Secure Boot status report provides a device-level view of Secure Boot across your Windows Autopatch-managed devices. It helps answer three key questions:
- Which devices have Secure Boot enabled?
- Which Secure Boot-enabled devices are fully up to date?
- Which Secure Boot-enabled devices need certificate updates?
For each device, the report shows whether Secure Boot is enabled or not. Devices that do not have Secure Boot enabled do not require any action.
To locate this report:
- Go to the Intune admin center.
- Navigate to Reports > Windows Autopatch > Windows quality updates.
- Select the Reports tab.
- Select Secure Boot status.
Devices with Secure Boot enabled
For devices where Secure Boot is enabled, the report further indicates whether the device’s Secure Boot certificates are up to date.
- If a device is Secure Boot enabled and up to date, no action is required.
- If a device is Secure Boot enabled but not up to date, the report allows you to drill in and view exactly which Secure Boot certificates are outdated.
Selecting the devices in this state provides visibility into the specific certificates that need updating, helping you understand the scope and nature of remediation required. Learn more about guidance for IT professionals and organizations for Secure Boot certificate updates.
Devices without Secure Boot enabled
If a device does not have Secure Boot enabled, no action is required from a Secure Boot certificate readiness perspective. These devices are included in the report for visibility, but Secure Boot certificate updates only apply to devices where Secure Boot is enabled.
How this report helps IT admins
The Secure Boot status report helps IT admins:
- Understand Secure Boot adoption across their environment
- Identify Secure Boot-enabled devices that need certificate updates
- Plan firmware and BIOS update strategies with confidence
- Reduce risk by addressing Secure Boot readiness proactively
By centralizing this information in Windows Autopatch, admins can more easily monitor Secure Boot readiness and take informed, targeted action where needed—without unnecessary remediation or guesswork.
Secure Boot status report columns
The Secure Boot status report includes a set of default columns that are shown for all customers, as well as optional columns that can be added to the view for deeper hardware and firmware insight.
Default columns
These columns are shown by default and are designed to help IT admins quickly understand Secure Boot coverage and certificate readiness across their devices.
| Column name | Description |
|---|---|
| Device name | The name of the device. |
| OS version | The Windows operating system version running on the device. |
| Microsoft Entra device ID | The Microsoft Entra device ID associated with the device. |
| Secure Boot enabled | Indicates whether Secure Boot is enabled on the device. |
| Certificate status | An aggregate status showing whether Secure Boot certificates on the device are Up to date, Not up to date, or Not applicable. This column is selectable; selecting it opens a context pane with details about which Secure Boot certificates are out of date, when applicable. |
| Device model | The commercial model of the device. |
Optional columns
These columns can be added to the report to provide more detailed hardware and firmware context. They are helpful for troubleshooting, hardware correlation, and advanced analysis, but are not required for understanding Secure Boot status.
| Column name | Description |
|---|---|
| Device manufacturer | The device manufacturer reported by the OEM. |
| System board manufacturer | The manufacturer of the device’s system board (motherboard). |
| Model family | The device product family or product line. |
| System board model | The specific system board model used in the device. |
| System board version | The version or revision of the system board. |
| Device SKU | The OEM SKU that identifies a specific hardware configuration. |
| Firmware manufacturer | The manufacturer of the device’s firmware (BIOS/UEFI). |
| Firmware version | The currently installed firmware (BIOS/UEFI) version. |
| Firmware release date | The release date of the installed firmware version. |