MicrosoftMaybe there is a misunderstanding or an error in the description:
https://support.microsoft.com/en-us/topic/group-policy-objects-gpo-method-of-secure-boot-for-windows-devices-with-it-managed-updates-65f716aa-2109-4c78-8b1f-036198dd5ce7
GPO-Setting "Automatic Certificate Deployment via Updates"
Enabled: Devices with validated update results will receive certificate updates automatically during servicing.
Disabled: Automatic deployment is blocked; updates must be managed manually.
>> Corresponds to the registry key "HighConfidenceOptOut"
####################
https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d
HighConfidenceOptOut - REG_DWORD - An opt-out option.
For enterprises that want to opt out of high confidence buckets that will automatically be applied as part of the LCU.
You can set this key to a non-zero value to opt-out of the high confidence buckets.
Settings
0 or key does not exist – Opt in
1 – Opt out
####################
If you configure the GPO-Setting "Automatic Certificate Deployment via Updates" with Disabled you get the key "0".
But the Disabled Config should block the process and be an opt-out..
