You might have already covered this, but is there a way to update the wks if the deadline to update the certificate on host is missed? 

If a device's firmware is not updated before the expiration date, will we still be able to update the BIOS to get the new certificate?

Will the registry ever auto update to 0x5944? It currently is not an automatic update.

Do i Understand this correctly.  Event ID 1801 means that my device has the new Certs, but only at the OS level.    So that technically means my device has and is using the new Certs?  

BUT if i want the EXTRA peace of mind and avoidance of accidentally losing those certs due to someone changing something in BIOS, i need to fully bake them into BIOS via a Firmware update.  And that would give me an 1808 ID?  

So both IDs mean i have, and am using, the new Certs.  But one is more robust than the other?

Is it mandatory to get the BIOS updated to latest version on HPs we maintain? Will the policy still act on those devices though it has n-1 or lower version than the latest?

https://support.hp.com/us-en/document/ish_13070353-13070429-16

Is there an option to update to the new the Secureboot certificate before imaging a device manually (in WinPE), if its not yet there? Or do we have to image the device and wait for LCU to do the update?

Why system event ID 1808 getting generated every time while rebooting the servers if the CA 2023 applied to firmware already ? is this excepted behavior ? 

If I only set Configure Microsoft Update Managed Opt In to Enabled, is that enough for my managed devices to install the cert updates when Microsoft deems it safe to do or do I also need to set Enable Secure Boot Certificate Updates to Enabled simultaneously? It seems like the Enable Secure Boot Certificate Updates setting will start the process immediately.

can you give instruction on the boot medium, that boot with 2011 keys and can upgrade the new boot manager in the case that windows does not start anymore, because the new keys in db are reset to 2011?

Follow up question: I thought I heard someone say that Server OS shouldn't be expected to receive updates via CFR. Did I hear that correctly? If yes, can you elaborate?