After reading a great article about Updating Secure Boot Certificates via Intune from my pal Mark over Ctrl+Alt_Delete Tech Bits. I thought it would be best to check the status of my devices, seeing which devices are likely to cause me issues or may need a bit of extra supervision along the way.
After hours of messing about with the Secure Boot Status page, trying desperately to ‘see something’ it appears Microsoft have seemingly given up hope pulled the plug on the secure boot status page. In the last few days it seems to have disappeared with no idea on if its coming back!
Not to worry, i’ve created a tutorial below on how you can poll devices via intune, and import their status into a SharePoint List. This gives you instant data on if a device has SecureBoot Enabled, and if the 2023 Certficate is present.
Step 1: Create SharePoint List
Create a SharePoint List called “Secure Boot Status”
Add the following Fields
| Column name | Type |
|---|---|
| DeviceName | Single line text |
| Manufacturer | Single line text |
| Model | Single line text |
| FirmwareVersion | Single line text |
| SecureBootSupported | Yes / No |
| SecureBootEnabled | Yes / No |
| UEFICA2023Present | Yes / No |
| Status | Choice (Compliant, At Risk, Not Supported) |
| Notes | Multiple lines of text |
| LastCheckIn | Date & Time |
Step 2: Create Flow
Go to Power Automate. Click Create Instant Cloud Flow
Call it something Descriptive like “SBS Logging” and select the trigger ‘When an HTTP request is received‘
Open up the trigger properties and click Use Sample Payload To Generate Schema
Paste in the following
{
"DeviceName": "PC-01",
"Manufacturer": "Dell Inc.",
"Model": "Latitude 5420",
"FirmwareVersion": "1.28.0",
"SecureBootSupported": true,
"SecureBootEnabled": true,
"UEFICA2023Present": false,
"Status": "At Risk",
"Notes": "Microsoft UEFI CA 2023 missing",
"Timestamp": "2026-02-09T14:10:22Z"
}
Change ‘Who can Trigger this flow‘ to anyone. (Don’t worry we will secure this with API key headers)
Add a Condition action after the Trigger.
In the left hand value, press / and add this expression.
triggerOutputs()?['headers']?['x-api-key']
In the middle select is equal to and in the right value, add a unique long key (just dont forget to note it down)
Add a Get Items (SharePoint) Action and connect it to your Sharepoint List you created in Step 1.
Under Advanced Parameters select Filter Query and add the following
DeviceName eq '@{triggerBody()?['DeviceName']}'
Now add a ‘Condition‘ to your Flow and add the following condition.
Dynamic Expression Get Items/Body is Greater Than 0
Under True add a new Update Item Action and Select the SharePoint List from Earlier. Use the ID from “Get Item” in the ID field.
Fill in the rest of the fields using fields from the HTTP Trigger.
Repeat the process with the No branch but Create Item instead of update item.
Save your Flow.
Open up the Trigger Properties again and Copy the HTTP URL. Note this down.
Step 3: Create Intune Script
Copy the Powershell Script Below but ensure you replace the FLOW URL with the URL from the step above.
# =========================================
# Intune Secure Boot / UEFI Reporting Script
# =========================================
# Force TLS 1.2 for HTTPS requests
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# --- Collect Device Info ---
$DeviceName = $env:COMPUTERNAME
$Manufacturer = (Get-CimInstance Win32_ComputerSystem).Manufacturer
$Model = (Get-CimInstance Win32_ComputerSystem).Model
$FirmwareVersion = (Get-CimInstance Win32_BIOS).SMBIOSBIOSVersion
# --- Check Secure Boot ---
$SecureBootSupported = $false
$SecureBootEnabled = $false
$UEFICA2023Present = $false
# Check if Secure Boot is supported
try {
$SecureBootSupported = Confirm-SecureBootUEFI
} catch {
$SecureBootSupported = $false
}
# If supported, check if enabled
if ($SecureBootSupported) {
try {
$SecureBootEnabled = (Confirm-SecureBootUEFI)
} catch {
$SecureBootEnabled = $false
}
# Check if 2023 CA is present
try {
$uefiDB = Get-SecureBootUEFI -Name db
if ($uefiDB -contains "2023") {
$UEFICA2023Present = $true
}
} catch {
$UEFICA2023Present = $false
}
}
# --- Determine Status ---
if (-not $SecureBootSupported) {
$Status = "Not Supported"
} elseif ($SecureBootEnabled -and $UEFICA2023Present) {
$Status = "Compliant"
} else {
$Status = "At Risk"
}
# --- Prepare Payload ---
$result = @{
DeviceName = $DeviceName
Manufacturer = $Manufacturer
Model = $Model
FirmwareVersion = $FirmwareVersion
SecureBootSupported = $SecureBootSupported
SecureBootEnabled = $SecureBootEnabled
UEFICA2023Present = $UEFICA2023Present
Status = $Status
Notes = ""
Timestamp = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")
}
# --- Send to Power Automate Flow ---
#Your Flow HTTP URL
$FlowUrl = "https://your-url.com" # Replace with your HTTP trigger URL
# API Headers (For Auth)
$headers = @{
"x-api-key" = "MySup3rS3cretK3y" # Replace with your API key
}
try {
$json = $result | ConvertTo-Json -Depth 5 -Compress
Invoke-RestMethod `
-Uri $FlowUrl `
-Method Post `
-Headers $headers `
-Body $json `
-ContentType "application/json" `
-TimeoutSec 30
Write-Output "Posted results successfully"
}
catch {
Write-Output "Failed to post results"
Write-Output $_.Exception.Message
}Head to Intune Admin Centre > Devices > Windows > Scripts and remediations
Under Platform Scripts click New.
- Run as logged on credentials: No
- Enforce Script Signature Check: No
- Run script in 64 bit PowerShell host: Yes
Upload the script above (containing your URL) and deploy to the required devices.
It may take up to an hour to start seeing results but as the script runs, you should see them starting to populate in your SharePoint List.
#EdTech Network Manager, experienced in Microsoft 365, Server 2019, Intune, SCCM and anything inbetween.