MC1293341: Assess Secure Boot certificate status with Microsoft Defender
Microsoft Defender now provides IT teams centralized visibility into Secure Boot 2023 certificate readiness across your device fleet. A new assessment categorizes your devices automatically as exposed, compliant, and not applicable. In the Defender portal, go to Exposure Management > Recommendations > Devices > Misconfigurations. For exposed devices, remediation guidance is directly available through the recommendation. When will this happen:
- The new Secure Boot 2023 certificate assessment is now available in Microsoft Defender.
- June 2026: Secure Boot 2011 certificates begin expiring and need to be replaced.
How this will affect your organization:When certificates expire in June 2026, devices that haven't transitioned to the newer Windows UEFI CA 2023 certificates will no longer be able to receive new security protections for the early boot process. To help organizations prepare, Microsoft Defender introduced a new recommendation that provides centralized visibility into Secure Boot 2023 certificate readiness across your device fleet. What you need to do to prepare:From the Microsoft Defender portal, go to Exposure Management > Recommendations > Devices > Misconfigurations. Find the new recommendation “Ensure devices are updated to Secure Boot 2023 certificates and boot manager”. From the recommendation view, you can:
- Drill down into exposed devices and identify exactly which systems require attention.
- Filter by OS platform and device context to prioritize remediation efforts.
- Export device data to share with infrastructure and platform teams.
- Track rollout progress across your organization.
- Integrate findings into existing security posture workflows.
Additional information:
- Learn more at Preparing for Secure Boot 2023 with Microsoft Defender.
- Learn more about Microsoft Secure Score for Devices - Microsoft Defender Vulnerability Management.
- Visit the comprehensive Secure Boot guidance at https://aka.ms/GetSecureBoot.