If you manage Windows 11 devices through Windows Autopatch, you may have noticed a new alert appearing in your tenant: Secure Boot — certificate update required. This is not cosmetic. The older Microsoft Secure Boot certificates that many devices are still using are set to expire in 2026, and devices that do not move to the 2023 UEFI certificates will progressively lose the ability to receive new Secure Boot security protections.
What the alert says
The alert in the Autopatch Alerts and Remediations view reads:
Why Secure Boot certificates matter
Secure Boot uses a chain of trust enforced by UEFI firmware. At the core of this chain are two certificate stores:
- DB (Signature Database) — the list of trusted signatures allowed to boot. Contains the Microsoft UEFI CA certificate that allows signed operating systems and boot components to run.
- KEK (Key Exchange Key) — controls who is allowed to update the DB and DBX (the revocation list). Microsoft's KEK certificate is used to push out revocations of compromised boot components.
The older versions of these certificates are expiring. Once expired, Microsoft will no longer be able to issue new revocations through those certificates — meaning compromised boot components cannot be blocked on devices still using the old chain. New Secure Boot protections that Microsoft ships through the update process will also be blocked.
The new Secure Boot Status Report
Microsoft shipped a new Secure Boot Status Report in Windows Autopatch (GA — May 19, 2026). You can find it in:
Intune admin center → Reports → Windows Autopatch → Secure Boot Status
The report shows which of your managed devices are:
- Compliant — Secure Boot enabled, 2023 certificates in place
- Requires update — Secure Boot enabled but still on the older expiring certificates
- Secure Boot disabled — not protected by Secure Boot at all
Which devices are affected
Any device where the UEFI firmware has not yet been updated to include the new 2023 Secure Boot DB and KEK certificates. This is typically driven by UEFI/BIOS firmware updates from your device manufacturer. Devices that have had a firmware update that includes the 2023 certificates are not affected.
- ✓ Devices with recent UEFI firmware updates
- ✓ New hardware purchased after mid-2024
- ✓ Devices that show compliant in the Secure Boot Status Report
- ✗ Older hardware with no UEFI updates since 2022
- ✗ Devices where BIOS/UEFI updates are blocked or unmanaged
- ✗ Devices flagged in the Autopatch alert report
How to remediate
The fix is a UEFI firmware update from your device manufacturer that includes the 2023 Secure Boot DB and KEK certificates. Steps:
- Open the Secure Boot Status Report in Intune to identify affected devices and their models
- Check your device manufacturer's support site for UEFI/BIOS firmware updates for those models — Dell, HP, Lenovo, and Microsoft Surface have all published firmware updates that include the 2023 certificates
- Deploy the firmware update via Intune (Dell Command Update, HP BIOS Configuration Utility, Lenovo System Update, or manufacturer-provided Win32 app packages)
- Verify the device moves to compliant in the Secure Boot Status Report after the firmware update and restart