Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Feb 12, 2026
AMA
gman1138's avatar
gman1138
Copper Contributor
Jan 29, 2026

Hi, 

Question 1

I'd like to know when the report in Intune will be complete? You've got something in the works but no announcement on it or when it will be ready. Currently the report is not working properly (as can be expected by it not being complete), but time is moving closer to the deadline.

Info

https://patchmypc.com/blog/the-secure-boot-status-report-coming-soon-to-intune/

Link to report 

https://intune.microsoft.com/#view/Microsoft_EMM_ModernWorkplace/securebootreport.reactview

Question 2

Will the report have more useful information than what is in their currently? I don't want to just see if it has the new cert or not, I want to see the steps I need to take, such as if a device does not have the certificate, is the bios up to date? This can be done to varying degrees via a custom compliance policy, but it is not easy for a few reasons.

  1. Intune only allows you to use a custom compliance script for one policy, we have 30+ laptop models out there, all with different minimum bios versions. Can be done anyway by making duplicated scripts, but it is messy.
  2. Different vendors report their bios versions into windows differently, Dell, Surface it is easy to make a version check because they report for example, Dell 5420 needs a minimum bios version of 1.31.0, so I can do a version check greater than or equal to against that, easy. Lenovo however name their firmware back like R1TET46W (v1.25), I can't do a version check against that and a string check would also not be helpful as the text characters change from version to version not just the version number.

Ideally, we want something that has the following in the report.

  1. Is the device compliant fully, i.e. has a bios version that is current enough and has the keys / Intune policy set to start using them for windows.
  2. If not, why not?
    1. Is it that the bios version is not up to date? If so, what is on the device, and what is the minimum version required from the vendor, something like "meets minimum bios revision, compliant or not compliant".
    2. If the bios is current, is it just that the keys are not set correctly so Windows knows to set the new secure boot certificate?
    3. What about devices that will never get bios updates because they are out of support? Can that information be presented in the report. 

Question 3

What are the actual impacts of devices which do not have everything completed by the time the deadline rolls around. 

Will they be unable to boot? Will we be unable to install fresh Windows, will it continue ticking away but be insecure i.e. someone could bypass secure boot if they had physical access to the device?

Question 4

This seems important enough that it should have a built in compliance policy in intune to check going forward if the certificate is valid and current. 

Thank you! :)