1. What's the easiest way to determine if a device is compliant to below two prerequisites, to receice automatic secure boot certificates updates? Does Microsoft provide a "quick check", which can be run on a device?

"The system shares diagnostic data + is managed by Microsoft Cloud or Intune"

2. Looks like updating virtual machines by using the "AvailableUpdates" Registry Key (value 0x5944), currently results in an error state  (see details in the Secure Boot playbook for certificates expiring in 2026 - Windows IT Pro Blog comments)

• The certs are up to date except for current "Microsoft Corporation KEK 2K CA 2023"
• Status of UEFICA2023Status Registry Key = "InProgress"
• UEFI2023Error Registry Key  = "800703e6"
• Event log ID 1796 error "The secure boot update failed to update a secure boot variable with error invalid access to memory location"

Question 1: Is this a know error, which Microsoft / Broadcom are working on?
Question 2: The "Microsoft Option ROM UEFI CA 2023" DEFAULT certificate has not been updated by this process. Is Broadcom responsible to do so and will this happen by installing a new version of VMware tools?

3. According to https://support.microsoft.com/en-us/topic/frequently-asked-questions-about-the-secure-boot-update-process-b34bf675-b03a-4d34-b689-98ec117c7818 a device will continue to boot, if it does not have the new secure boot certificates updated, after old certificates exipres in June / October 2026, but "it will no longer be eligible to receive security fixes related to the Windows boot manager updates or Secure Boot".

What does this mean in detail and how to bring a device back to a compliant state?