Intune Secure Boot Status Report

The Secure Boot Status Report states:

“The affected devices have Secure Boot enabled but are using Microsoft Secure Boot certificates that expire in 2026.”

Given this scope, we would appreciate clarification on the following:

Why does the report include a Secure Boot enabled filter and values such as Unknown or Not applicable if the report is intended to cover devices with Secure Boot enabled?

Can Microsoft confirm the exact meaning of the following states:

Up to date

Not up to date

Not applicable

Secure Boot enabled = Unknown

Under which conditions can a firmware-ready device remain in Not applicable for an extended period (e.g., telemetry delays, firmware validation, recent BIOS changes)?

Our intent is to correctly interpret the report and align remediation actions with Microsoft’s expected behavior ahead of the Secure Boot enforcement milestones.