A high-confidence device refers to one that Microsoft can reliably identify and update automatically through Windows Update without additional intervention. These devices typically meet criteria such as:

• Trusted diagnostic data signals confirming the device’s identity and compatibility.
• Secure Boot enabled and using supported UEFI firmware.
• Running a supported Windows version that can receive updates.
• No anomalies in the boot chain or firmware keys that could block the update process.

For devices that don’t meet these conditions (e.g., missing diagnostic data, unsupported OS, or OEM-specific issues), they may require manual validation and rollout steps. 

More information here: Secure Boot Certificate updates: Guidance for IT professionals and organizations - Microsoft Support