📚🪟💻Compliance - Device Health - Secure Boot
What this policy is about 🔍
Secure Boot ensures that only trusted firmware and OS components load during startup.
This compliance policy checks whether Secure Boot is enabled on the device. Secure Boot prevents rootkits and bootkits from loading before the operating system—stopping malware before Windows even starts.
How it works 🛠️
This policy uses Windows Device Health Attestation to verify Secure Boot status.
- TPM chip reports status — Confirms Secure Boot is enabled in UEFI
- Windows Health Attestation Service — Microsoft verifies the report
- Intune receives the result — Compliant or non-compliant
This is hardware-backed attestation. The device cryptographically proves its boot chain is secure.
🛠️ Compliance Settings
Platform
- Windows 10 and later
Profile Type
- Windows 10/11 compliance policy
Device Health
| Setting | Value |
|---|---|
| Secure Boot | Required |
⚙️ Actions for Non-Compliance
| Action | Schedule | Message Template | Additional Recipients |
|---|---|---|---|
| Mark device non-compliant | Immediately | (none) | None selected |
👥 Group Assignments
✅ Included groups:
All Devices