MicrosoftSo apparently setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot\MicrosoftUpdateManagedOptIn to 0x5944 was wrong, at least according to Copilot. The new, supposedly correct, way is in https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d. Unnecessarily confusing.
It's not wrong as such, but it controls what is allowed to be updated as part of regular updates. Take a look at the new GPO templates and you'll see this (0x5944) is being set if you choose that option:
<policy name="SecureBoot_MicrosoftUpdateManagedOptIn"
class="Machine"
displayName="$(string.SecureBoot_MicrosoftUpdateManagedOptIn)"
explainText="$(string.SecureBoot_MicrosoftUpdateManagedOptIn_Help)"
key="SYSTEM\CurrentControlSet\Control\SecureBoot"
valueName="MicrosoftUpdateManagedOptIn">
<parentCategory ref="SecureBootCategory" />
<supportedOn ref="windows:SUPPORTED_Windows8" />
<enabledValue>
<decimal value="22852" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
However, you can take more direct control using the undocumented value of AvailableUpdatesPolicy (note the word policy on the end and the fact it uses the same control flags). This is what gets set when you enable 'Secureboot certificate deployment' in the policy:
<policy name="SecureBoot_AvailableUpdatesPolicy"
class="Machine"
displayName="$(string.SecureBoot_AvailableUpdatesPolicy)"
explainText="$(string.SecureBoot_AvailableUpdatesPolicy_Help)"
key="SYSTEM\CurrentControlSet\Control\SecureBoot"
valueName="AvailableUpdatesPolicy">
<parentCategory ref="SecureBootCategory" />
<supportedOn ref="windows:SUPPORTED_Windows8" />
<enabledValue>
<decimal value="22852" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
