MicrosoftI believe the "Microsoft managed" one only starts the update if you have telemetry on AND the telemetry from other systems similar to yours tells Microsoft that the update succeeded. The high confidence opt out one does the opposite - if Microsoft's telemetry says your system should update fine but you don't want the update yet.
The "Enable Secure Boot Certificate Deployment"/AvailableUpdatesPolicy (or manually setting AvailableUpdates in the registry) tells it to do the update now if possible (not based on telemetry). Depending on the system, it might work fine like it has for me on Dell laptops (requires reboots and the scheduled task to run again to fully finish), or fail at one of the steps (e.g. Hyper-V doesn't allow updating the KEK currently but does the DB/DBX/boot manager and boots successfully).
Some "sure start" HPs in particular have a BIOS/UEFI bug ( https://support.hp.com/us-en/document/ish_9642671-9641393-16?jumpid=in_r11839_us-en/PCSecureBootErr ) that prevents booting after they fail to process a secure boot update unless the BIOS is updated. (mentioned in https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d ) so there appears to be an extra check even if you set AvailableUpdates and it's an HP (or ARM/Apple/VMware) computer/VM.
We have telemetry configured so it sounds like I need to get a few devices updated that are the same model so that this can help with Microsoft's telemetry data so that the updates can be started for these other devices. Thank you for the fast reply. I will keep the setting applied for "Microsoft managed" and see if after updating a few devices changes anything on the managed device.
