Secure Boot Certificate Updates via InTune Policy

We are currently having issues applying the settings required to install secure boot cert updates using the InTune policy method.

A brief overview to quickly explain : We are a reasonably large company managing a mix of over 10,000 Windows and iOS devices.  Our Windows devices come from the supplier with the Professional edition of Windows pre-installed, this is then changed via an Enterprise key as part of our Autopilot enrolment process and activated via our users subscription license.  To all sense and purposes Windows looks and feels like the Enterprise edition, indeed if you check using winver, system settings and activation status for example then Windows tells us that it is the Enterprise edition.

However, if you check the licensing using slmgr /dli it shows that the licensing has been reverted back to the OEM Professional edition as pre-installed by the supplier on purchase.

This may have always been the case but until very recently has gone unnoticed.  Whilst testing the rollout of an InTune policy to allow secure boot cert updates as detailed here : Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support , this is failing because the policy is rejected by licensing error : 

MDM PolicyManager: Policy is rejected by licensing, Policy: (ConfigureMicrosoftUpdateManagedOptIn), Area: (SecureBoot), Result:(0x82B00006) Unknown Win32 Error code: 0x82b00006

InTune reporting directly on the policy shows this as error 65000

We are able to change the key by using slmgr and a combination of MAK\KMS\OEM but whatever keys are applied this always reverts to being the OEM Professional key after the device has been restarted.

I have seen that there is a group policy method for setting the required settings for the secure boot cert updates to work, this however seems a very backward approach by Microsoft in an area where they are trying to promote a cloud-first policy.  Indeed since we rolled out Windows 11, we as an organisation have been moving anything that we can to cloud in readiness for retirement of our on-prem estate.

Microsoft's response to my recent support request was that this is expected behaviour, which to all sense and purposes is not what i would class as a solution. 

Has anyone else had the same issues when using the InTune policy method, and was a solution found or did you have to return to the dark ages and resort to group policy?

There seem to be lots of posts online referring to access to specific registry keys being blocked going as far back as 2024, the suggested script to resolve these permissions and suggested KB articles have not resolved the issue.