How does a large enterprise confirm/validate that their machines in their fleet have the certs in place and activated?  Specifically, if they are mixed with some SCCM and some Intune?  It is a manufacturing company with the plants still on SCCM/WSUS vs Corporate/Windows Update for Business.

So is the general advise

If you have a common Dell, Lenovo, Sufrace device you 'should' be fine just to make sure the UEFI / BIOS is up to date, and then leave it for Microsoft to update the certificate on the client via CFR? 

If you have some wacky bit of hardware, like custom built gaming pc, odd meetingroom system, then you might need to manually add the reg key manually to tag it as a known good system?

the newest ADMX/ADML template files contain settings to control the Secure Boot cert push/etc. is this actually needed?

When updating Server 2025 running on a VMware environment we are seeing the registry indicating a successful update, but not getting an event of 1808 to indicate it was successful in the update.  We are also not seeing any errors in the event viewer.  Are we safe to assume a successful deployment or that we will get a successful deployment at some point?  Is there something else we need to do to verify deployments are successful?

How will I know when Microsoft have released certificates to all of my enterprise estate, and anything not updated will require some form of remediation?  I feel a little lost not knowing if I'm in the current deployment ring or not

When will Windows 365 gallery images contain the new secure boot certificates?

For manually installing the Secure Boot certificate update, is updating the BIOS the only way to do it? If I’m remembering correctly, the Microsoft-provided steps mainly prepare the device to receive the update from Microsoft, but don’t actually provide a way to manually install it. Can you confirm?

Deploy certificates with registry keys

Deploy certificates via WinCS

Deploy certificates using Group Policy

Will there be native Intune reporting capabilities for monitoring the Secure Boot update?

If a device has the new certs installed and booting on the new certs, will the UEFI2023Status in the registry be set to Updated? 

Just wanted to double check, you said if you're enrolled into any kind of management solution for updates i.e. WSUS,  you won't get the CFR. 

Does this include Windows Update for Business and Autopatch via Intune?