Are the cert updates available through SCCM for endpoints that don't have access to Windows Update?

We see the Secure Boot report in Intune for all of our devices even though they are not all enrolled in Autopatch. Is this expected and would this be accurate? 

Also, the report shows a certificate status as one value, but when you export the report to a CSV, all the values are different (all changed to 'Not applicable'. Has anyone else reported this?

customer reported question : experiencing difficulties to apply secureboot certificate updates 

From a Microsoft security perspective, what is the less worst risk exposition to secureboot exploit between all these below configurations

1.  A system with Secure Boot enabled :
  a.  Expired certificates in DB, and KEK (2011) and boot manager signed by 2011 certificate (nothing is uptodate)
  b.  2023 certificate are in DB, boot manager signed by 2023 certificate but only KEK 2011 certificate version (Update procedure fails to update kek)  (partial update)
2.            A system running UEFI but Secure Boot disabled
3.            A system running in Legacy BIOS (non-UEFI) mode

Is a system in scenario (1a and 1b) considered more exposed, less exposed, or equivalent in risk compared to scenarios (2) and (3)?

It seems that new certificate's expiration is on May 15th 2026 :

Issuer : CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US

NotAfter : 15/05/2026 21:23:59

Could you explain the process that will be ongoing after been updated to CA 2023 ?

So how do you install the CFR on your managed servers that connect to WSUS?

Can you please further document actions to undertake when a system doesn't boot after enabling secure boot from the BIOS, like precising all the mandatory settings to implement for it to work and possibly bringing the host back to a secure baseline which allows it to boot with the setting enabled, this aspect isn't documented properly and or I'm missing where to look at
KR

Should I enable the Secure Boot settings in Intune even if some devices are reporting error Error Code 65000, and is it safe to use both Intune Secure Boot policies and manual remediation together, or could doing both cause issues

For the third-party antivirus it will have any affect if the certificate doesn't update ?

I'm doing test in my lab, and i have successfully completed the update of the Secure boot via RegKey, but i have noticed that the boot loader is updated with the new certificate that will expire to May 2026, this will be update automatically during the normal patching process???  

If a computer has been properly updated, how often will Event ID 1808 appear in the event log?