Secure Boot Compliance Audit
Purpose
This solution checks the Secure Boot status and validates the associated certificates. If the system is using older Secure Boot certificates, the custom fields are updated accordingly. If the system is using updated certificates, the custom fields are updated to reflect the compliant status.
Associated Content
Custom Field
| Content | Type | Function |
|---|---|---|
| cPVAL Secure Boot Status | Custom Field | This custom field shows whether Secure Boot is enabled on the device. |
| cPVAL Windows Telemetry Status | Custom Field | This custom field indicates the current telemetry (diagnostic data) level on Windows. |
| cPVAL Windows KEK Certificate | Custom Field | This custom field displays the status of the Windows Key Exchange Key (KEK) certificate. |
| cPVAL Windows DB Certificate | Custom Field | This custom field shows the status of the Windows Secure Boot Database (DB) certificate. |
Automation
| Content | Type | Function |
|---|---|---|
| SecureBoot Compliance - Audit | Automation | This script evaluates whether a Windows device is prepared for the upcoming Microsoft Secure Boot certificate transition scheduled for 2026. |
Group
| Content | Type | Function |
|---|---|---|
| cPVAL SecureBoot Audit [Windows] | Group | This group shows all windows devices with Secure Boot status. |
| cPVAL Windows Workstations | Group | A group designated for machines running the Windows workstations. |
| cPVAL Windows Servers | Group | A group designated for machines running the Windows servers. |
Task
| Content | Type | Function |
|---|---|---|
| cPVAL SecureBoot Status | Task | This task checks and records the SecureBoot status on devices, including SecureBoot certificates. |
Implementation
Step 1: Create the following Custom Fields
- cPVAL Secure Boot Status
- cPVAL Windows Telemetry Status
- cPVAL Windows KEK Certificate
- cPVAL Windows DB Certificate
Step 2: Import Automation Scripts
Step 3: Create the following groups
- cPVAL SecureBoot Audit [Windows]
- cPVAL Windows Workstations (If does not exist)
- cPVAL Windows Servers (If does not exist)
Step 4: Create the following Task:
FAQ
Q1. What is the purpose of the Secure Boot Compliance – Audit solution?
Answer: The solution audits the Secure Boot configuration on Windows devices and validates related Secure Boot certificates. It updates custom fields to reflect whether the device is compliant or using outdated certificates.
Q2. What information does this solution collect from devices?
Answer: The solution collects and records the following information:
- Secure Boot status (enabled or disabled)
- Windows telemetry status
- Windows Secure Boot DB certificate status
- Windows KEK certificate status
This information is stored in custom fields for reporting and compliance monitoring.
Q3. Why are custom fields used in this solution?
Answer: Custom fields allow Secure Boot audit results to be stored directly on each device record. This makes it easier to:
- Filter devices
- Create device groups
- Generate reports
- Monitor compliance across the environment.
Q4. Which custom fields are created for this solution?
Answer: The solution uses the following custom fields:
cPVAL Secure Boot StatuscPVAL Windows Telemetry StatuscPVAL Windows KEK CertificatecPVAL Windows DB Certificate
Each field records a specific part of the Secure Boot compliance audit.
Q5. What is the role of the automation script in this solution?
Answer: The automation script evaluates the device's Secure Boot configuration and verifies whether the system is prepared for the Microsoft Secure Boot certificate transition scheduled for 2026.
It then updates the related custom fields with the results.
Q6. What happens if Secure Boot is disabled on a device?
Answer: If Secure Boot is disabled, the device will be identified through the custom field cPVAL Secure Boot Status and may appear in the cPVAL SecureBoot Audit [Windows] device group for further review or remediation.
Q7. What does the task "cPVAL SecureBoot Status" do?
Answer: This task runs the Secure Boot audit on devices. It checks the Secure Boot configuration and certificate status, then updates the associated custom fields with the results.
Q8. Why is Secure Boot certificate validation important?
Answer: Secure Boot certificates ensure that only trusted software can run during the system boot process. Validating these certificates helps maintain system integrity and ensures compatibility with upcoming security updates from Microsoft.
Q9. When should this solution be deployed?
Answer: This solution should be deployed across all Windows devices to ensure they are prepared for the 2026 Microsoft Secure Boot certificate transition and to maintain consistent security compliance across the environment.
Q10. What is the benefit of separating audit results into multiple custom fields?
Answer: Using separate fields improves visibility and reporting. Administrators can easily filter devices based on specific conditions such as:
- Secure Boot disabled
- Outdated certificates
- Telemetry configuration
This allows more accurate device grouping and compliance monitoring.
Changelog
2026-03-24
- Added
cPVAL Windows WorkstationsandcPVAL Windows Serversgroup dependency for the taskcPVAL SecureBoot Status.
2026-03-12
- Initial version of the document