Just a couple questions:

• Is the UEFI update required? If a current Windows install does not receive the UEFI update before the secure boot manager/partition is updated (via Windows Update), will that be enough?
• What happens if a hardware vendor decides they are not updating the UEFI/firmware? If Microsoft updates the active boot manager, will the system continue to boot?
  • Further to this, let's say you have to re-install Windows - if you are using the latest ISO that contains the updated certificates, will the system allow secure boot to function in this instance?
• We have a hybrid environment with devices Intune/Entra joined but still on an on-prem domain. We have deployed the Intune CSP for the updates using the 'forced' update method and are seeing success. We are planning to start deploying firmware updates as well, but it may lag behind the Windows Update portion. Will this scenario work?