Windows Secure Boot certificate expiration: the Log Analytics dashboard
In this post, I will share a dashboard allowing you to monitor Windows Secure Boot certificate expiration on your Intune devices.
As you may know Secure Boot certificates will expire in June 2026.
I won't talk about this in this post because you can already find a lot of info on a log of sites.
See below some interesting posts:
https://www.tbone.se/2026/01/09/update-secure-boot-certificate-by-using-intune-remediation
https://patchmypc.com/blog/the-secure-boot-status-report-intune
https://blog.mindcore.dk/2026/02/windows-secure-boot-certificate-expiration-2026/
https://scloud.work/intune-secure-boot-certificate-updates/
In this post I will share a log Analytics dashboard to monitor status of thoses certificates on your devices.
You can see:
- Certificate status on devices
- BIOS minimum update status for certificate
- Secure Boot status
- UEFICA2023 cert deployment status
Certificate status on devices
Here we check the deployment status of the certificate using the below registry key: HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\UEFICA2023Status
BIOS minimum update status for certificate
In this part, we check the result of the below command:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')
This command allows you to check if the dbdefault contains the "Windows UEFI CA 2023" cert.
It can be True or False:
- True: the device has the minimum BIOS version that
- False: the device does not have the minimum BIOS version
!!! This command may fail on some models or virtual machines
Secure boot status
In this part, we check devices with secure boot enabled or not.
Secure boot scheduled task
In this part, we check the status of the "Secure-Boot-Update" scheduled task.
Event logs
In this part, we check event IDs in the System event log:
1801: Update initiated, reboot required
1808: Update completed successfully
1795: Firmware returned error
1796: Error logged with error code
1800: Reboot needed
1802: Known firmware issue blocked update
1803: Matching KEK update not found
The solution
1. A remediation script
2. It's scheduled every day
2. It collects data
3. It sents data to Log Analytics
The dashboard
The dashboard is organized in two tabs:
- Overview
- Details
Overview
You will first have a quick resume of your status:
Below are the first count/graphs:
- Secure Boot certificate global status
- BIOS minimum update status for certificate
- Certificate found in ActiveDB
- Certificate found in ActiveDB
- Secure Boot status
- Secure Boot update scheduled task status
- UEFICA2023 cert deployment status
Then you can see:
- Models requiring BIOS update
- Models with BIOS uptodate
- Models requiring certificate update
- Models with certificate uptodate
Details
This tab gives you details about what to update and on which devices.
Devices with certificate not ready
Here we check the registry key UEFICA2023Status located in "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing".
The "Deployment status" corresponding to "UEFICA2023Status" has 3 values:
- Updated: The Secure Boot CA 2023 update complete. No action needed on your side.
- InProgress: The update is actively in progress. Waiting for a reboot or scheduled task execution.
- NoStarted: The deployment is planned, but the update has not yet run.
Devices with BIOS to update
Here we check the value from the below command: (Get-SecureBootUEFI dbdefault).bytes
The return of this command has 2 values:
- True: uptodate
- False: not uptodate
Devices with Secure Boot disabled
Sources to download
Click on the below GitHub picture to get following files:
- Workbook.json
- Detection.ps1
Log Analytics v1 info
This part is for sending data to Log Analytics using the Data Collector API.
This API is deprecated but you can still use it to monitor your Secure boot certificate.
In order to create this report we will need some information relative to the Log Analytics workspace.
See below required info:
- Workspace ID
- Primary key
- Name of the custom log
To get those information go to Log Analytics Workspace > Agents management
You will find both Workspace ID and Primary key.
The primary key part may be not visible, in this case proceed as below:
1. Go to Azure portal
2. Open Cloud shell
3. Type the below command:
az monitor log-analytics workspace get-shared-keys --resource-group <Your resource group> --workspace-name <Your workspace> --query "primarySharedKey"
Then we will proceed as below:
1. Open the file Detection.ps1
2. Fill below variables:
- $CustomerID: workspace ID
- $ShareKey: Primary key
Using Log Analytics v2
Data Collector API is deprecated.
Here I will show how to configure the Log Ingestion API.
Creating App registration
In this part will create an Entra app registration.
This app will be used to authenticate and send API calls to Log Analytics in order to send data.
For that we will proceed as below:
1. Go to the Entra portal
2. Go to App registration
3. Click on New registration
4. Type a name
5. Let by default
6. Click on Register
7. Go to Certificates & secrets
8. Go to Client secrets
9.Click on New client secret
10. Type a name
11. Choose a delay
12. Click on Add
13. Once created, copy the secret
Create data collection endpoint
1. Go to the Entra portal
2. Go to Monitor
3. Go to Data Collection Endpoints
4. Click on Create
5. Type a name
6. Choose a subscription, resource group, region
7. Click on Review+Create then Create
8. Once created, click on the DCE
9. Go to Overview
10. Copy the Logs Ingestion value
Create custom log (DCR)
Here we will create a new table based on a DCR.
The DCR (Data Collection Rule) is used to send data to this table.
DCRs specify for instance what data should be collected, how to transform that data, and where to send it.
When we create the DCR we need to specify the structure of the table from a JSON file.
We will proceed as below:
1. Go to your Log Analytics workspaces
2. Go to Settings > Tables
3. Click on Create
4. Click on New custom log (DCR based)
5. Type SecureBootCertificate
6. Click on Create a new data collection rule
7. Choose a Subscription, resource group
8. Type a Name for the DCR
9. Select the DCR
10. Click on Next
11. Click on Browse for files
12. Select SecureBootCertificate_CL.json
14. Click on Next then Create
15. Go to your DCR
16. Go to Overview
17. Click on JSON View (on the right side)
18. Copy the immutableId value
Now we need to give the application permission to use the DCR.
For that proceed as below:
1. Go to your DCR
2. Go to Access Control (IAM)
3. Click on Add role assignment
4. Check Monitoring Metrics Publisher
5. Click on Next
6. Check User, group, or service principal
7. Click on Select members
8. Select your app registration
9. Click on Review + assign
Creating the Remediation script
1. Go to Devices
4. Go to Remediations
5. Click on Create script package
6. Type a name
7. Click on Next
8. Click on Detection script file
9. To use Data Collector API, browse Detection.ps1
9. To use Log Ingestion API, browse Detection_LAv2.ps1
10. Click on Next
11. Select the group
12. Choose your schedule
13. Click on Apply
14. Click on Next
15. Click on Create
Adding the workbook
In this part we will add the report.
The report can be downloaded on GitHub, lin mentioned above.
See below reports available:
- For log Analytics v1: Workbook_LAv1.json
- For log Analytics v2: Workbook_LAv2.json
To add it, proceed as below:
1. Go to the Azure portal
2. Go to Log Analytics workspace
3. Go to your workspace
4. Go to Monitoring > Workbooks
5. Click on New
6. Go to Advanced editor
7. Remove content
8. Copy content from the json
9. Click on Apply
10. Click on Done editing > Save
2 commentaires
I am really interested in your reporting method. Can you dig a little deeper into creating the report? I am going to let policy take care of the keys that need to be changed
hi, please send me a mail at damien.vanrobaeys@gmail.com
Enregistrer un commentaire