if I build a new device how can I ensure the image I am using has the latest updates "without needing to set availableupdates 0x5944 key along with needing to run scheduled task "

Also Secure boot report in the Intune portal under Autopatch has discrepancy  with our own inventory PowerShell script. what can be the reason? There are many devices like this

Is there any risk to deploying the registry setting for AvaliableUpdates (or GPO/Intune) to all devices in your fleet?

How does this affect VMware virtual machines?  Per Broadcom's article - "There is no need to take any manual action at this time. The ESXi host UEFI is managed by the vendor's BIOS firmware. Systems will continue to boot even if the UEFI certificates expire. This is not a cause for concern at the moment."

Intune configuration still errors out with error 65000 and policymanager licensing issue. This happens on any of our machines that were upgraded to Windows Enterprise through our e5's. When will this be fixed?

For that controlled rollout MS is managing, how far along is that. I'm seeing about half my devices showing as Up To Date in the new Secure Boot Status report. Should I at this point be concerned the remaining half will not fall into a bucket?

Is the reporting workbook available in Intune for Windows Client Update policies?

1) What is level of confidence that devices that cannot update their certificate will remain functional. Has it been tested somehow?

2) Any concerns with Registry key for enabling secureboot certificate updates being set on devices that are not able to update it (out of support devices that will not get a firmware update).

3) How quick should we expect to see BIOS updates for this to be made available in WUfB? Seems like there are a lot missing in our fleet

4) Will a device that does not get the latest secureboot certificate, still receive monthly cumulative updates if it is on a supported OS?

5) Any other impact/risk to devices that are not able to update their SecureBoot certificate?

6) Are there other mitigations we can take in our environment to ensure devices that cannot get the certificate are less vulnerable?

We've been seeing devices that appear to be eligible for the automatic Secure Boot cert updates based on the documentation available via MS but don't seem to progress. Can you confirm the minimum “eligibility checklist” for the automatic Secure Boot certificate update (OS baseline, update level, UEFI + Secure Boot, diagnostic data level, etc.), and which items are hard blockers vs “recommended”? Once a device is eligible, what is the typical timeline (hours, days, weeks) to observe progress?

Will the Intune 65000 error being fixed, hampering Intune Policies to update the certificates soon?