Streamline Your Endpoint Security: Automating Secure Boot Compliance with Intune

Secure Boot is a UEFI security standard that ensures only trusted, signed software loads during system startup. You can enforce Secure Boot across Intune-managed devices using configuration profiles or PowerShell remediation scripts. Below, I’ve provided the explanation, deployment steps, a sample script, and both a flowchart and infographic for clarity.

🔐 What is Secure Boot?

• Definition: Secure Boot validates the digital signatures of bootloaders, drivers, and the OS kernel before allowing them to run.

• Purpose: Prevents rootkits, malware, and unauthorized code from loading during startup.

• Mechanism: Firmware checks signatures against trusted OEM or Microsoft certificates.

  
  

📊 How to Push Secure Boot via Intune

Option 1: Intune Configuration Profile

1. Go to Endpoint Manager Admin Center.

2. Create a Device Configuration Profile → Windows 10/11 → Endpoint Protection.

3. Under UEFI Secure Boot, set to Require.

4. Assign the profile to target device groups.

   
   

Option 2: Intune Remediation with PowerShell

• Use detection and remediation scripts to check Secure Boot status and enable it if disabled.

• Microsoft recommends monitoring Secure Boot certificate readiness and updating to 2023 certificates before June 2026 expiration.

  
  

💻 Sample PowerShell Script

# Check Secure Boot status

$SBStatus = Confirm-SecureBootUEFI

if ($SBStatus -eq $false) {

Write-Output "Secure Boot is disabled. Attempting to enable..."

# Enable Secure Boot (requires firmware support)

Confirm-SecureBootUEFI -Enable $true

} else {

Write-Output "Secure Boot is already enabled."

}

🔄 Secure Boot Flow (Simplified)

1. System Firmware Initializes

2. UEFI checks bootloader signature

   • ✅ Valid → Continue

   • ❌ Invalid → Block boot

3. Bootloader verified against trusted certificates

4. OS kernel loads only if signed

5. Unauthorized code blocked

(See attached flowchart for visualization.)

⚠️ Key Considerations

• Firmware dependency: Some OEMs lock Secure Boot settings in BIOS; Intune cannot override hardware restrictions.

• Certificate updates: Ensure Secure Boot certificates are updated before June 2026 to avoid system boot failures.

• Monitoring: Use Intune reporting to track compliance and remediation success.

⚙️ Step-by-Step Intune Remediation Package Guide

Step 1: Prepare the Scripts

You’ll need two PowerShell scripts — one for detection and one for remediation.

Detection Script (SecureBoot_Detect.ps1)

This script checks whether Secure Boot is enabled on the device.

# SecureBoot_Detect.ps1

$SBStatus = Confirm-SecureBootUEFI

if ($SBStatus -eq $true) {

Write-Output "Compliant: Secure Boot is enabled."

exit 0

} else {

Write-Output "Non-Compliant: Secure Boot is disabled."

exit 1

}

Remediation Script (SecureBoot_Remediate.ps1)

This script attempts to enable Secure Boot if supported by firmware.

# SecureBoot_Remediate.ps1

$SBStatus = Confirm-SecureBootUEFI

if ($SBStatus -eq $false) {

Write-Output "Attempting to enable Secure Boot..."

try {

Confirm-SecureBootUEFI -Enable $true

Write-Output "Secure Boot enabled successfully."

} catch {

Write-Output "Failed to enable Secure Boot. Manual BIOS configuration may be required."

}

} else {

Write-Output "Secure Boot already enabled."

}

Step 2: Create the Remediation Package in Intune

1. Navigate to: Endpoint Manager Admin Center → Devices → Scripts → Proactive Remediations.

2. Click Create Script Package.

3. Enter a name like “Secure Boot Compliance Check”.

4. Upload both scripts:

   • Detection: SecureBoot_Detect.ps1

   • Remediation: SecureBoot_Remediate.ps1

5. Assign to Windows 10/11 devices or specific device groups.

6. Schedule frequency (e.g., daily or weekly) for compliance checks.

   
   

Step 3: Monitor Results

• Go to Reports → Endpoint Analytics → Proactive Remediations.

• Review compliance status under Secure Boot Compliance.

• Devices failing remediation can be flagged for manual BIOS configuration.

  
  

Step 4: Optional — Certificate Update Monitoring

To ensure long-term compliance, monitor Secure Boot certificate validity. Microsoft’s 2023 UEFI CA certificates replace older 2011 ones expiring in June 2026. Use Intune scripts from the MicrosoftIntune GitHub repository (github.com in Bing).

🧠 Key Takeaways

• Detection scripts identify non-compliant devices.

• Remediation scripts attempt automated fixes.

• Reporting provides visibility into Secure Boot status across endpoints.

• Firmware dependency: Some devices require manual BIOS configuration.

• Certificate updates: Ensure Secure Boot certificates are refreshed before June 2026.