Now that we have identified secure boot certificates that are due for expiry in the previous article (Secure Boot Cert Expiry: Detection), we can remediate them using the steps below.

The easiest way to do this is via an Intune Policy which I will document here. Other methods are possible and can be found in the playbook linked below.

Resources

Playbook: Microsoft Playbook Article

Deploying the Intune Policy

Log in to https://intune.microsoft.com/

Navigate to ‘Devices’ → ‘Windows’ → ‘Configuration’

Click ‘Create’ and select Platform: ‘Windows 10 and later’, Profile Type: ‘Settings Catalog’ and choose ‘Create’ again.

Enter a name and description.

Add the settings, in the search enter ‘Secure boot’. Then select the 3 settings, see their descriptions below:

• Enable SecureBoot Certificate Updates - This policy controls whether Windows initiates the Secure Boot certificate deployment process on devices.

• Configure Microsoft Update Managed Opt In - This policy allows your organization to participate in a Controlled Feature Rollout of Secure Boot certificate update managed by Microsoft.

• Configure High Confidence Opt-Out - This policy controls whether Secure Boot certificate updates are applied automatically through Windows monthly security and non-security updates.

I will be enabling the first two and will leave ‘Configure High Confidence Opt-Out’ disabled.

Further details can be seen here: Intune Method for Secure Boot Cert Fix | Microsoft Support

Then assign this to your devices, this will then allow them to receive the new certificates.

This can then be monitored by your remediation script or Windows Autopatch report mentioned in part 1.

Verifying Success

Go to the previously created remediation script or the Windows Autopatch report and wait for an update on if the device needs action.

If after a few syncs it is still reporting incorrectly then further diagnosis might be required.

It should look like this once successful.

Report

Detection Script

Secure Boot certificates are expiring this year. Recently built devices (manufactured 2023 and after) will likely not face any issues however most organisations will likely have older infrastructure to patch, you need to act now!

See the below article from Microsoft:

Microsoft Playbook Article

How long do I have?

These certificates will expire July 2026. After that point there will likely be a large influx of tickets.

What do I need to do?

Start capturing which devices are expiring using the methods below, then remediate by deploying the fix via Intune Policy + other methods (Secure Boot Cert Expiry: Remediation - Intune Method)

Resources

Microsoft's Playbook: Microsoft Playbook Article

Detecting via Windows Autopatch Reports

If you have Windows Autopatch running on your Intune devices then it’s pretty simple to identify which devices need upgrading.

Start by logging into https://intune.microsoft.com.

Then navigate to the report by selecting ‘Reports’ in the side bar → then under ‘Windows Autopatch’ select ‘Windows quality updates’.

You should be on a screen like this:

Select ‘Reports’ next to open the next tab.

Then choose ‘Secure boot status’ (see below):

This will show/generate the Secure Boot report which allows you to see which devices require attention and updating.

The process for fixing the certificates can be seen in the next post.

Detecting via Detection Script

Alternatively, if you don’t have Windows Autopatch deployed then you can use a Detection Script.

Start by going to this link which contains the Microsoft recommended script for detecting the secure boot certificate status: Secure Boot Cert Expiry | Detection Script

Then, log into https://intune.microsoft.com.

Navigate to Scripts and Remediation by clicking ‘Devices’ → ‘Windows’ → under ‘Manage devices’ select ‘Scripts and remediations’.

You should then see your Remediations and Platform scripts.

Click ‘Create’. This will open a new window.

Enter a name and description for the script like below, then click next.

Upload the script file, in the ‘Detection script file’ area. Leave the ‘Remediation script file’ blank.

Scroll down and ensure that ‘Run script in 64 bit PowerShell’ is set to ‘Yes'. Then click next.

Apply scope tags if necessary, click next.

Then select your devices to be monitored, since I have a small amount of devices I have chosen ‘All Devices’.

Finally, click next, then review and create.

The script will run and will report on devices, check back periodically to see if there are any hits.

If there are, then you will need to remediate, this will be documented in a forthcoming guide.