SecureBoot Compliance - Audit

Overview

This script evaluates whether a Windows device is prepared for the upcoming Microsoft Secure Boot certificate transition scheduled for 2026.

Microsoft is replacing legacy Secure Boot certificates with updated 2023-era certificates (KEK and DB). Devices that do not contain these updated certificates may be considered "at risk" once older certificates expire.

The script performs the following checks and stores the status in the custom fields:

Secure Boot

Verifies whether Secure Boot is enabled or disabled on the device.

Windows Telemetry

Determines CA2023 compliance based on Secure Boot state and certificate presence.

Windows DB Certificate

Checks for presence of the 'Windows UEFI CA 2023' certificate in the DB store.

Windows KEK Certificate

Checks for presence of the 'Microsoft Corporation KEK 2K CA 2023' certificate.

Sample Run

Play Button > Run Automation > Script

SampleRun1

Dependencies

Solution - Secure Boot Compliance Audit

Automation Setup/Import

Automation Configuration

Output

Activity Details
Custom Field

Changelog

2026-03-12

Initial version of the document

Overview​

Sample Run​

Dependencies​

Automation Setup/Import​

Output​

Changelog​

2026-03-12​