Secure Boot Expiry Alert: Detect Affected Devices Using Autopatch Reports
Written by Connor Dean | Modern Workplace Specialist
What is happening to Secure Boot certificates?
Secure Boot certificates are expiring this year. Recently built devices (manufactured 2023 and after) will likely not face any issues however most organisations will likely have older infrastructure to patch, you need to act now!
See the below article from Microsoft:
How long do I have?
These certificates will expire July 2026. After that point there will likely be a large influx of tickets.
What do I need to do?
Start capturing which devices are expiring using the methods below, then remediate by deploying the fix via Intune Policy + other methods (Secure Boot Cert Expiry: Remediation - Intune Method)
Resources
Microsoft's Playbook: Microsoft Playbook Article
Detecting via Windows Autopatch Reports
If you have Windows Autopatch running on your Intune devices then it’s pretty simple to identify which devices need upgrading.
Start by logging into https://intune.microsoft.com.
Then navigate to the report by selecting ‘Reports’ in the side bar → then under ‘Windows Autopatch’ select ‘Windows quality updates’.
You should be on a screen like this:
Select ‘Reports’ next to open the next tab.
Then choose ‘Secure boot status’ (see below):
This will show/generate the Secure Boot report which allows you to see which devices require attention and updating.
The process for fixing the certificates can be seen in the next post.
Detecting via Detection Script
Alternatively, if you don’t have Windows Autopatch deployed then you can use a Detection Script.
Start by going to this link which contains the Microsoft recommended script for detecting the secure boot certificate status: Secure Boot Cert Expiry | Detection Script
Then, log into https://intune.microsoft.com.
Navigate to Scripts and Remediation by clicking ‘Devices’ → ‘Windows’ → under ‘Manage devices’ select ‘Scripts and remediations’.
You should then see your Remediations and Platform scripts.
Click ‘Create’. This will open a new window.
Enter a name and description for the script like below, then click next.
Upload the script file, in the ‘Detection script file’ area. Leave the ‘Remediation script file’ blank.
Scroll down and ensure that ‘Run script in 64 bit PowerShell’ is set to ‘Yes'. Then click next.
Apply scope tags if necessary, click next.
Then select your devices to be monitored, since I have a small amount of devices I have chosen ‘All Devices’.
Finally, click next, then review and create.
The script will run and will report on devices, check back periodically to see if there are any hits.
If there are, then you will need to remediate, this will be documented in a forthcoming guide.
