# Secure Boot Expiry Alert: Detect Affected Devices Using Autopatch Reports

## What is happening to Secure Boot certificates?

Secure Boot certificates are expiring this year. Recently built devices (manufactured 2023 and after) will likely not face any issues however most organisations will likely have older infrastructure to patch, you need to act now!

See the below article from Microsoft:

[Microsoft Playbook Article](https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856)

### How long do I have?

These certificates will expire July 2026. After that point there will likely be a large influx of tickets.

### What do I need to do?

Start capturing which devices are expiring using the methods below, then remediate by deploying the fix via Intune Policy + other methods ([Secure Boot Cert Expiry: Remediation - Intune Method](https://www.connordean.co.uk/secure-boot-cert-expiry-remediation-intune))

### Resources

Microsoft's Playbook: [Microsoft Playbook Article](https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235#community-4469235-_option1)

* * *

## Detecting via Windows Autopatch Reports

If you have Windows Autopatch running on your Intune devices then it’s pretty simple to identify which devices need upgrading.

Start by logging into [https://intune.microsoft.com](https://intune.microsoft.com).

Then navigate to the report by selecting ‘Reports’ in the side bar → then under ‘Windows Autopatch’ select ‘Windows quality updates’.

You should be on a screen like this:

![Reports View - Windows quality updates](https://cdn.hashnode.com/uploads/covers/69c01ab5d9da55a9a5b416d5/f82a54c0-c815-46f2-b5ac-d4894b410846.png align="center")

Select ‘Reports’ next to open the next tab.

Then choose ‘Secure boot status’ (see below):

![Secure Boot Status under Reports](https://cdn.hashnode.com/uploads/covers/69c01ab5d9da55a9a5b416d5/509c664f-762d-4253-bda7-328b994b6805.png align="center")

This will show/generate the Secure Boot report which allows you to see which devices require attention and updating.

![Secure Boot Status Report](https://cdn.hashnode.com/uploads/covers/69c01ab5d9da55a9a5b416d5/69fb0fbd-f8f4-4736-8cfe-3119bee233ca.png align="center")

The process for fixing the certificates can be seen in the next post.

* * *

## Detecting via Detection Script

Alternatively, if you don’t have Windows Autopatch deployed then you can use a Detection Script.

Start by going to this link which contains the Microsoft recommended script for detecting the secure boot certificate status: [Secure Boot Cert Expiry | Detection Script](https://support.microsoft.com/en-gb/topic/sample-secure-boot-inventory-data-collection-script-d02971d2-d4b5-42c9-b58a-8527f0ffa30b)

Then, log into [https://intune.microsoft.com](https://intune.microsoft.com).

Navigate to Scripts and Remediation by clicking ‘Devices’ → ‘Windows’ → under ‘Manage devices’ select ‘Scripts and remediations’.

You should then see your Remediations and Platform scripts.

![Scripts and remediations](https://cdn.hashnode.com/uploads/covers/69c01ab5d9da55a9a5b416d5/57a35f01-a76d-4d51-96c0-3cf404c8eb99.png align="center")

Click ‘Create’. This will open a new window.

Enter a name and description for the script like below, then click next.

![Name and Description for Script](https://cdn.hashnode.com/uploads/covers/69c01ab5d9da55a9a5b416d5/1b52fb51-021b-4a9c-b473-a5465263ac4f.png align="center")

Upload the script file, in the ‘Detection script file’ area. Leave the ‘Remediation script file’ blank.

![Detection Script upload](https://cdn.hashnode.com/uploads/covers/69c01ab5d9da55a9a5b416d5/51cda3b3-f9fc-48aa-a6e4-515e3ad40281.png align="center")

Scroll down and ensure that ‘Run script in 64 bit PowerShell’ is set to ‘Yes'. Then click next.

![Script parameters](https://cdn.hashnode.com/uploads/covers/69c01ab5d9da55a9a5b416d5/ff2f9657-d9d7-4826-9c70-9c0089d22604.png align="center")

Apply scope tags if necessary, click next.

Then select your devices to be monitored, since I have a small amount of devices I have chosen ‘All Devices’.

Finally, click next, then review and create.

The script will run and will report on devices, check back periodically to see if there are any hits.

If there are, then you will need to remediate, this will be documented in a forthcoming guide.

![Detection Script statuses](https://cdn.hashnode.com/uploads/covers/69c01ab5d9da55a9a5b416d5/0f7403ec-9276-4055-a607-3ff0a3f2b2b0.png align="center")
