Windows Secure Boot certificate expiration: the Log Analytics dashboard
In this post, I will share a dashboard allowing you to monitor Windows Secure Boot certificate expiration on your Intune devices.
As you may know Secure Boot certificates will expire in June 2026.
I won't talk about this in this post because you can already find a lot of info on a log of sites.
See below some interesting posts:
https://www.tbone.se/2026/01/09/update-secure-boot-certificate-by-using-intune-remediation
https://patchmypc.com/blog/the-secure-boot-status-report-intune
https://blog.mindcore.dk/2026/02/windows-secure-boot-certificate-expiration-2026/
https://scloud.work/intune-secure-boot-certificate-updates/
In this post I will share a log Analytics dashboard to monitor status of thoses certificates on your devices.
You can see:
- Certificate status on devices
- BIOS minimum update status for certificate
- Secure Boot status
- UEFICA2023 cert deployment status
Certificate status on devices
Here we check the deployment status of the certificate using the below registry key: HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status
BIOS minimum update status for certificate
In this part, we check the result of the below command:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')
This command allows you to check if the dbdefault contains the "Windows UEFI CA 2023" cert.
It can be True or False:
- True: the device has the minimum BIOS version that
- False: the device does not have the minimum BIOS version
Secure boot status
In this part, we check devices with secure boot enabled or not.
Secure boot scheduled task
In this part, we check the status of the "Secure-Boot-Update" scheduled task.
Event logs
In this part, we check event IDs in the System event log:
1801: Update initiated, reboot required
1808: Update completed successfully
1795: Firmware returned error
1796: Error logged with error code
1800: Reboot needed
1802: Known firmware issue blocked update
1803: Matching KEK update not found
The solution
1. A remediation script
2. It's scheduled every day
2. It collects data
3. It sents data to Log Analytics
The dashboard
The dashboard is organized in two tabs:
- Overview
- Details
Overview
You will first have a quick resume of your status:
Below are the first count/graphs:
- Secure Boot certificate global status
- BIOS minimum update status for certificate
- Certificate found in ActiveDB
- Certificate found in ActiveDB
- Secure Boot status
- Secure Boot update scheduled task status
- UEFICA2023 cert deployment status
Then you can see:
- Models requiring BIOS update
- Models with BIOS uptodate
- Models requiring certificate update
- Models with certificate uptodate
Details
This tab gives you details about what to update and on which devices.
Devices with certificate not ready
Here we check the registry key UEFICA2023Status located in "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing".
The "Deployment status" corresponding to "UEFICA2023Status" has 3 values:
- Updated: The Secure Boot CA 2023 update complete. No action needed on your side.
- InProgress: The update is actively in progress. Waiting for a reboot or scheduled task execution.
- NoStarted: The deployment is planned, but the update has not yet run.
Devices with BIOS to update
Here we check the value from the below command: (Get-SecureBootUEFI dbdefault).bytes
The return of this command has 2 values:
- True: uptodate
- False: not uptodate
Devices with Secure Boot disabled
Sources to download
Click on the below GitHub picture to get following files:
- Workbook.json
- Detection.ps1
Log Analytics information
In order to create this report we will need some information relative to the Log Analytics workspace.
See below required info:
- Workspace ID
- Primary key
- Name of the custom log
To get those information go to Log Analytics Workspace > Agents management
You will find both Workspace ID and Primary key.
Then we will proceed as below:
1. Open the file Detection.ps1
2. Fill below variables:
- $CustomerID: workspace ID
- $ShareKey: Primary key
Creating the Remediation script
There are two files Detection.ps1 and Remediation.ps1
The Detection file will check devices with less than 20% of free disk space.
The Remediation script will be executed only for devices with less than 20% of free disk space.
1. Go to Devices
4. Go to Remediations
5. Click on Create script package
6. Type a name
7. Click on Next
8. Click on Detection script file
9. Browse Detection.ps1
10. Click on Next
11. Select the group
12. Choose your schedule
13. Click on Apply
14. Click on Next
15. Click on Create
Adding the workbook
In this part we will add the report.
The report can be downloaded on GitHub, lin mentioned above.
The report is the file: Workbook.json
To add it, proceed as below:
1. Go to the Azure portal
2. Go to Log Analytics workspace
3. Go to Workbooks
4. Click on New
5. Go to Advanced editor
6. Remove content
7. Go to the GitHub link, there
8. Click on the copy button as below
9. Click on Apply
10. Click on Done editing > Save
Enregistrer un commentaire