Monitor and govern Secure Boot certificate lifecycle across Windows fleets with real-time analytics, remote command management, and compliance dashboards.
Version 1.15 β Security Hardening, CORS Restrictions & Test Fixes
Secure Boot Certificate Watcher is an enterprise solution for monitoring Secure Boot certificate status on Windows devices. It captures registry snapshots and Windows event logs, transmits reports to a centralized API, and provides a real-time dashboard for compliance tracking, alerting, and fleet governance.
βββββββββββββββββββββββββββββββββββββββββββββββ
β Windows Devices (.NET Framework 4.8) β
β βββββββββββββββββββββββββββββββββββββββββ β
β β SecureBootWatcher.Client β β
β β β’ Registry polling β β
β β β’ Event log capture β β
β β β’ UEFI certificate enumeration β β
β β β’ Multi-sink delivery β β
β βββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββ¬βββββββββββββββββββββββββ
β WebAPI / Azure Queue / FileShare
βΌ
βββββββββββββββββββββββββββββββββ
β Azure Queue Storage β
β (optional message buffer) β
βββββββββββββββββ¬ββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββ
β Dashboard API (ASP.NET Core 10) β
β βββββββββββββββββββββββββββββββββββββββββ β
β β SecureBootDashboard.Api β β
β β β’ Report ingestion & validation β β
β β β’ EF Core + SQL Server persistence β β
β β β’ Queue processor background service β β
β β β’ SignalR real-time notifications β β
β β β’ Excel/CSV export β β
β β β’ Remote command management β β
β βββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββ¬βββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββ
β Dashboard Web (Razor Pages) β
β βββββββββββββββββββββββββββββββββββββββββ β
β β SecureBootDashboard.Web β β
β β β’ Interactive analytics (Chart.js) β β
β β β’ Real-time updates (SignalR) β β
β β β’ Device & certificate management β β
β β β’ Command management UI β β
β β β’ Windows version tracking β β
β βββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββ
- UEFI Certificate Enumeration: Scan db, dbx, KEK, PK databases from firmware
- Expiration Tracking: Color-coded certificate health (expired, expiring soon, valid)
- Windows UEFI CA 2023: Track deployment readiness for the new Microsoft certificate
- Certificate Validation: Multi-tier PKI chain validation with CA root verification
- Real-time Updates: SignalR-powered live dashboard with auto-reconnection
- Interactive Charts: Chart.js visualizations for compliance trends and deployment status
- Export: Excel/CSV export for devices, reports, and certificate data
- Device Details: Deep-dive into individual device compliance with full certificate tables
- Version Database: Track Windows 10/11 versions, builds, and support lifecycle
- Build Security: Identify outdated and insecure builds with
IsSecure/IsLatestflags - Outdated Devices: Fleet-wide view of devices needing Windows updates
- Integration: Built-in WindowsVersionsCore for Microsoft version data sync
- Centralized Control: Send configuration commands to individual or multiple devices
- Batch Operations: Fleet-wide command dispatch with filter-based device selection
- Command Lifecycle: Full tracking from Pending β Fetched β Processing β Completed/Failed
- Scheduling & Priority: Schedule commands for future execution with priority ordering
- Multi-criteria Readiness: Firmware date + OS build validation for UEFI CA 2023
- Visual Status: Color-coded badges (Ready β
/ Partial
β οΈ / Not Ready β / Unknown β) - Fleet Overview: Dashboard widget with readiness statistics
- Telemetry Levels: Monitor Windows diagnostic data levels per device
- CFR Eligibility: Detect Controlled Feature Rollout readiness
- Update Types: Track requested DB and Boot Manager updates
- Mutual TLS: Client certificate authentication support
- Azure AD / Entra ID: Dashboard authentication integration
- Windows Authentication: Domain-based access control
- Multi-sink Resilience: Failover delivery with retry policies (Polly)
- Rate Limiting: Configurable request throttling
- Output Caching: Tunable response caching
- Response Compression: Brotli/Gzip compression
- Database Optimization: Connection pooling, query splitting, compiled queries
| Project | Framework | Description |
|---|---|---|
| SecureBootWatcher.Client | .NET Framework 4.8 | Windows agent β registry polling, event log capture, certificate enumeration |
| SecureBootWatcher.Shared | .NET Standard 2.0 | Shared models, configuration, validation contracts |
| SecureBootDashboard.Api | ASP.NET Core 10 | REST API β report ingestion, SignalR hub, queue processor, export service |
| SecureBootDashboard.Web | ASP.NET Core 10 (Razor Pages) | Dashboard UI β charts, device management, command console |
| WindowsVersionsCore | ASP.NET Core 10 | Windows version/build tracking and security assessment |
| SecureBootReportProxy.Functions | Azure Functions (.NET 8) | Serverless queue-to-API bridge |
| PowerShell Client | PowerShell 5.0+ | Alternative lightweight client for Intune/SCCM deployment |
- SecureBootDashboard.Api.Tests (xUnit, 85 tests) β API controller and service tests
- SecureBootDashboard.Web.Tests (xUnit, 8 tests) β Razor page model tests
- SecureBootWatcher.Client.Tests (MSTest, 3 tests) β Client service flow tests
- SecureBootWatcher.Shared.Tests (xUnit, 7 tests) β Shared model/config tests
- .NET 10 SDK
- .NET Framework 4.8 Developer Pack (for Client project)
- SQL Server (or SQL Server Express / LocalDB)
- Visual Studio 2022+ or VS Code with C# Dev Kit
- Windows 10/11 or Windows Server 2016+
- .NET Framework 4.8 Runtime (or PowerShell 5.0+ for PS client)
- Administrator privileges (for registry and certificate access)
- Windows Server or Azure App Service
- .NET 10 Runtime
- SQL Server 2019+ (or Azure SQL Database)
- (Optional) Azure Queue Storage for buffered ingestion
git clone https://github.com/robgrame/Nimbus.BootCertWatcher.git
cd Nimbus.BootCertWatcherdotnet build SecureBootWatcher.slndotnet test SecureBootWatcher.slnCopy and customize the configuration files:
# API - set your SQL Server connection string
# Edit SecureBootDashboard.Api/appsettings.json
# Set ConnectionStrings:SqlServer
# Web - set the API base URL
# Edit SecureBootDashboard.Web/appsettings.json
# Set ApiSettings:BaseUrl
# Client - set the API endpoint and sink strategy
# Edit SecureBootWatcher.Client/appsettings.json
# Set SecureBootWatcher:Sinks:WebApi:BaseAddress
β οΈ Important: Never commit secrets to source control. Use environment variables, Azure Key Vault, or User Secrets for production credentials. See Security Configuration below.
dotnet ef database update --project SecureBootDashboard.Api# Quick start (API + Web in parallel)
.\start-dev.ps1
# Or manually:
cd SecureBootDashboard.Api && dotnet run # https://localhost:5001
cd SecureBootDashboard.Web && dotnet run # https://localhost:7001cd SecureBootWatcher.Client && dotnet runAll sensitive configuration values have been removed from the repository. You must configure them through environment variables, Azure Key Vault, or local User Secrets.
| Setting | Location | Description |
|---|---|---|
ConnectionStrings:SqlServer |
API appsettings | SQL Server connection string |
ApplicationInsights:ConnectionString |
API/Web appsettings | App Insights instrumentation |
QueueProcessor:TenantId |
API appsettings | Azure AD tenant for queue auth |
QueueProcessor:ClientId |
API appsettings | App registration client ID |
QueueProcessor:CertificateThumbprint |
API appsettings | Auth certificate thumbprint |
AzureAd:TenantId / AzureAd:ClientId |
Web appsettings | Entra ID authentication |
Recommended approach for production:
# Use Azure Key Vault references in App Service
az webapp config appsettings set --name <app> --resource-group <rg> \
--settings "ConnectionStrings__SqlServer=@Microsoft.KeyVault(SecretUri=https://...)"
# Or use environment variables
$env:ConnectionStrings__SqlServer = "Server=...;Database=...;..."| Method | Endpoint | Description |
|---|---|---|
POST |
/api/SecureBootReports |
Ingest client report payloads |
GET |
/api/Devices |
List all devices with summaries |
GET |
/api/Devices/{id} |
Device details |
GET |
/api/Devices/{id}/reports |
Device report history |
GET |
/api/Devices/export/excel |
Export devices to Excel |
GET |
/api/Devices/export/csv |
Export devices to CSV |
GET |
/api/ClientCommands |
Get pending commands for a device |
POST |
/api/ClientCommands |
Create a new device command |
GET |
/api/Settings |
Application settings |
GET |
/api/WindowsVersions |
Windows version data |
WS |
/dashboardHub |
SignalR real-time endpoint |
GET |
/swagger |
OpenAPI / Swagger UI |
| Layer | Technology | Version |
|---|---|---|
| Backend | ASP.NET Core | 10.0 |
| ORM | Entity Framework Core | 10.0 |
| Real-time | SignalR | 1.2 |
| Logging | Serilog + Application Insights | 10.0 |
| Resilience | Polly | 8.6 |
| Frontend | Razor Pages + Bootstrap 5 | β |
| Charts | Chart.js | 4.4 |
| Export | ClosedXML + CsvHelper | 0.105 / 33.1 |
| Client | .NET Framework | 4.8 |
| Queue | Azure Storage Queues | 12.25 |
| Auth | Azure.Identity | 1.17 |
| Testing | xUnit + MSTest + Moq | Latest |
| Versioning | Nerdbank.GitVersioning | 3.9 |
Comprehensive documentation is available in the docs/ folder:
- Deployment Guides: API Server, Web Dashboard, Client, Azure
- Configuration: Authentication, Certificates, Mutual TLS, Queue Processor
- Features: Command Management, Windows Versions, Export
- Operations: Troubleshooting, Diagnostics, Emergency Procedures
- Release Notes: Complete changelog from v1.3 through v1.15
- Client Deployment: Intune, SCCM, PowerShell packaging
Quick links:
- Deployment Guide
- Mutual TLS Quick Start
- Command Management User Guide
- PowerShell Client
- Azure Deployment
# Build
dotnet build SecureBootWatcher.sln
# Test
dotnet test SecureBootWatcher.sln
# Run (development)
.\start-dev.ps1
# Database migration
dotnet ef database update --project SecureBootDashboard.Api
# Add new migration
dotnet ef migrations add <Name> --project SecureBootDashboard.Api
# Run client once
cd SecureBootWatcher.Client && dotnet run- β Removed all hardcoded secrets from configuration files (Azure TenantId, ClientId, CertificateThumbprint, InstrumentationKeys)
- β Replaced internal server names with localhost defaults
- β
Disabled SSL validation bypass in default configuration (
BypassSslValidation: false) - β
Restricted CORS policy in WindowsVersionsCore (was
AllowAnyOrigin, now configurable origins with GET-only methods) - β
Removed hardcoded log file paths (was
R:\Nimbus.SecureBootCert\...)
- β
Fixed
Assert.IsGreaterThanargument order bug inRunAsync_WithRunModeContinuous_ExecutesMultipleTimestest - β Increased test timeout for reliable continuous mode validation
- β All 103 tests passing (85 API + 8 Web + 7 Shared + 3 Client)
- β
Moved 29 deployment/troubleshooting markdown files from root to
docs/ - β Clean root directory with only README.md and essential project files
See Release Notes for v1.3 through v1.14 changelog.
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'feat: add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Follow Microsoft C# Coding Conventions
- Use conventional commits (
feat:,fix:,docs:,test:,refactor:) - Add tests for new functionality
- Update documentation for user-facing changes
This project is licensed under the MIT License β see LICENSE for details.
Roberto Gramellini β GitHub