Microsoft Adds Secure Boot Status Reporting to Intune for IT Admins

Microsoft is making it easier for IT administrators to monitor Secure Boot status across managed Windows devices, and the company has rolled out a Secure Boot certificate update, since the existing certificates are approaching expiration later this year.

Secure Boot has returned to the spotlight because expiring certificates could prevent Windows from applying certain security updates, increasing exposure to firmware-level attacks. Secure Boot plays a critical role in ensuring a PC starts with verified firmware and a trusted bootloader, and it remains a core hardware requirement for Windows 11 alongside TPM.

Secure Boot reporting arrives in Intune

According to Neowin, Microsoft has introduced a new Secure Boot status report inside the Microsoft Intune admin center, giving IT teams clearer visibility into device readiness.

Admins can find the report by navigating to Intune admin center > Reports > Windows Autopatch > Windows quality updates. The new view focuses on Secure Boot health across managed fleets and highlights devices that may need attention before certificate expiration causes issues.

The report shows which devices have Secure Boot enabled, which systems are fully up to date, and which devices require Secure Boot certificate updates. Admins can also drill down to see exactly which certificates are outdated, removing guesswork from remediation planning.

Focused on Windows Autopatch environments

The Secure Boot report applies only to devices managed through Windows Autopatch, reinforcing its role as a proactive management tool rather than a general diagnostic feature. Devices without Secure Boot enabled do not require any action related to certificate updates.

For supported devices, the report surfaces detailed metadata, including device name and model, OS version, Microsoft Entra device ID, system board information, manufacturer details, and current firmware or BIOS versions.

The new reporting capability helps administrators understand Secure Boot adoption across their organization, identify Secure Boot–enabled devices that need certificate updates, and plan firmware or BIOS update strategies with greater confidence. By flagging potential issues early, IT teams can reduce security risk and avoid disruptions tied to expired Secure Boot certificates.

In other Microsoft management news, the company is testing the KB5072046 update that would allow administrators to remove Copilot on managed devices, while Microsoft 365 admins will soon be required to use multi-factor authentication or lose access.