Microsoft has shipped a significant enhancement to Windows Autopatch, delivering a new Secure Boot status report that gives Intune administrators device-level insight into certificate readiness, trust configurations, and deployment risk. The update, now rolling out to all Autopatch tenants, breaks down the health of Secure Boot across managed endpoints and surfaces alerts for any device that falls out of compliance.

The new report arrives as organizations increasingly rely on Secure Boot to protect firmware-level integrity. By adding granular visibility directly into the Autopatch dashboard, Microsoft is reducing the effort required to audit and maintain a secure boot environment—especially important ahead of major certificate updates and Windows release rollouts.

What Is Windows Autopatch?

Windows Autopatch is a cloud service that automates the deployment of Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Teams updates. It frees IT teams from manual update ring creation and testing by using its own deployment cadence, intelligently pausing rollouts if issues are detected. Autopatch also handles feature updates and driver rollouts, all managed through the Microsoft Intune admin center.

The service groups devices into deployment rings—Test, First, Fast, and Broad—and progressively releases updates, monitoring health signals along the way. The new Secure Boot status report plugs into this health monitoring pipeline, giving admins a proactive tool for assessing device readiness before updates that depend on Secure Boot integrity, such as Windows 11 major releases or security patches.

Why Secure Boot Matters Now More Than Ever

Secure Boot is a firmware-level security check that verifies the digital signature of every component loaded during the boot process. It stops unsigned or malicious code from executing before the operating system starts. With the steady rise of rootkit and bootkit attacks, keeping Secure Boot properly configured is critical.

Microsoft has periodically updated the Secure Boot certificates used to sign boot loaders and drivers. Most recently, the Certificate Authority (CA) migration required admins to ensure devices had the latest certificates installed to avoid boot failures. Any device missing updated certificates or with a misconfigured trust store could fail to boot after a policy change or firmware update. The new Autopatch report surfaces exactly that kind of risk, turning a previously opaque check into a clear compliance metric.

Device-Level Visibility into Certificate Status

The heart of the update is a per-device view of Secure Boot certificate status. For each enrolled device, admins can now see whether:

  • The Secure Boot certificate store is fully up to date with the latest Microsoft CA certificates.
  • All required trusted boot chain certificates are present and valid.
  • Any device-specific certificates, such as those from third-party hardware vendors, are properly enrolled.
  • Certificate expiration dates are within an acceptable window, preventing sudden boot failures.

This level of detail was previously available only by running MMC snap-ins or PowerShell scripts locally on devices. Now it surfaces directly in the Intune admin center under the Autopatch blade, alongside other compliance and health signals.

Trust Configuration and Rollout Confidence

Beyond simple certificate presence, the report evaluates the overall trust configuration of the Secure Boot policy. That includes:

  • Whether the system’s Secure Boot is enabled and correctly configured to require digitally signed binaries.
  • Whether the platform key (PK) and key exchange key (KEK) match expected values for corporate devices.
  • If Secure Boot is in audit mode (which allows unsigned code to run but logs it) or fully enforced.

From these data points, Autopatch computes a rollout confidence score for each device and for the fleet as a whole. This score indicates how likely a device is to safely receive the next round of updates without Secure Boot-related interruptions. IT teams can set a minimum confidence threshold and use it as a gate for deploying feature updates or security rollups. Devices falling below the threshold automatically trigger alerts and can be held back from deployment rings.

Proactive Alerts and Remediation Guidance

The report feeds into the existing Autopatch alerting framework. When a device’s Secure Boot status changes—for instance, a certificate expires or is removed—an alert fires in the tenant’s notification stream. Alerts also trigger when the trust configuration changes unexpectedly, which could indicate tampering or a misconfiguration.

Each alert includes a detailed description of the issue and links to step-by-step remediation guidance. Typical remediation might involve:

  • Redeploying the latest Secure Boot certificate package via Intune.
  • Running a PowerShell script to reset the Secure Boot policy to factory defaults.
  • Rebuilding the device’s key database if corruption is detected.
  • Checking for hardware-specific firmware updates that include new Secure Boot certificates.

For bulk remediation, admins can export the list of affected devices and use Intune’s group targeting to push fixes. Because the report is updated every time a device syncs with the service, progress is visible in near real time.

How to Access the Secure Boot Status Report

Admins can find the new report inside the Microsoft Intune admin center under Reports > Windows Autopatch > Device compliance. The Secure Boot dashboard shows aggregate metrics—number of devices with up-to-date certificates, number requiring attention, and the overall rollout confidence percentage. Drilling into any segment reveals the per-device details, with columns for each certificate field and trust status.

The report is automatically enabled for all tenants using Windows Autopatch. No additional licensing is required beyond the Windows Enterprise E3 or E5 licenses that already cover Autopatch. Data is collected as part of the normal Autopatch health assessment and does not require a new service to be configured.

Integration with Endpoint Security Policies

The Secure Boot report works hand-in-glove with Intune’s existing Endpoint Security policies for Secure Boot. Admins can now use the report’s findings to tighten policy enforcement. For example, if the report shows a significant number of devices running Secure Boot in audit mode, an admin can create or update a policy to enforce full Secure Boot and assign it to those devices.

Moreover, the report can be combined with attack surface reduction rules to isolate devices that fail Secure Boot checks. Conditional Access policies can require that only devices with a high rollout confidence score access corporate resources, adding a dynamic compliance boundary.

Practical Scenarios and Early Feedback

Early testers have highlighted several use cases where the new report proves invaluable:

  • Certificate rollovers: When Microsoft updates the Secure Boot CA certificates, admins can proactively identify devices that haven’t received the update and push the new certificates before they become mandatory.
  • Hardware refresh: On new device models, Secure Boot may be enabled but with non-standard keys from the OEM. The report flags these configurations so admins can reconfigure them to organizational standards.
  • Compliance audits: Instead of manually gathering Secure Boot compliance evidence, audit-ready reports can be exported directly from the dashboard.
  • Incident response: Alerts triggered by a sudden loss of Secure Boot trust on a device can indicate a compromised system, enabling quick isolation.

Feedback from the community has been largely positive, with many administrators praising the reduction in manual checks. Some users have requested the ability to customize the rollout confidence threshold per deployment ring, a feature Microsoft is reportedly considering for a future update.

What This Means for IT Administrators

For IT teams already using Windows Autopatch, the Secure Boot status report is a timesaver and a risk reducer. It moves Secure Boot management from reactive troubleshooting to proactive oversight. The rollout confidence metric, in particular, allows admins to balance update velocity with security—speeding up deployments on devices that are fully ready while holding back risky ones.

For organizations still evaluating Autopatch, this addition strengthens the value proposition. The ability to monitor Secure Boot at scale without additional infrastructure or agent installation lowers the barrier to maintaining a hardened boot environment.

Looking Ahead

Microsoft’s investment in Secure Boot visibility likely signals broader intentions. As Windows 11 evolves and security baselines become more stringent, expect Secure Boot status to become a standard compliance pillar alongside BitLocker, antivirus, and firewall settings. The integration of such data into Autopatch hints at a future where automated remediation of Secure Boot issues is possible—for example, Autopatch could automatically push certificate updates to devices that fall behind.

Additionally, the Secure Boot report might eventually feed into the broader Microsoft Secure Score, giving security administrators a unified view of endpoint hygiene.

For now, administrators should explore the new report, set baseline expectations for their fleet, and configure alerts to stay ahead of Secure Boot problems. The days of discovering a boot failure only when a device doesn’t start are, for Autopatch customers, a thing of the past.