Same question about: if I have devices in Autopatch & diagnostics being sent. Do I need to implement any other configuration policies or registry keys or is it all automatically completed? Or do we need this policy?

As 

I'm trying to apply the new Intune Policies under "secure Boot" but they don't apply to the devices I get error "65000" which usually indicates the policy cannot be found. 

Edit:
You said to look at Event logs but can we rely on the UEFICA2023Status reg key instead? I'm working on a BI report so that's why I'm asking. 

If secure boot is not enabled, is there anything that needs to be done?

- The GPO (ADMX) sets a value of 0x5944. How can we then revoke the 2011 certificates (0x80)?
- Are there any details about SVN (0x200)? What is the exact mechanism?
- Will Bitpixie and BlackLotus be mitigated with just 0x5944?
- Is SecureBootRecovery.efi application set after bootmgfw.efi if the new certificates 2023 aren't in the defaultDB?
- Can we use SecureBootRecovery.efi for warehoused devices as a PXE boot file?
- What happens on devices without Secure Boot enabled now? Will they get the Boot Manager signed with 2023 installed automatically? What happens if we enable Secure Boot at a later point as AvailableUpdates only works with Secure Boot enabled?

For corporations that use a patch management software instead of Windows Update, is there any action required besides the BIOS update on the laptop?

From what I understand, this is all done via the Cumulative updates so the patch management software can do this without us having to enable Windows Update via Intune.

Is this entire process (Microsoft, OEM, and admin communication) the best -- most clear and efficient method -- of getting these certificates updated?  I thank you for doing this AMA, but one would think the necessity of an AMA would imply that there's been some failures on communications to make this a smooth process for admins.

If we are having issues updating certs on our Endpoints, should we open a support case or are there other paths available for support?

In regards to reporting. Will there be any type of reporting to track org impact? Which machines are done, which cannot be done or need additional work?

This may already be in another comment, I just need to know what needs to be done if I have devices in Autopatch & diagnostics being sent. Do I need to implement any other configuration policies or registry keys or is it all automatically completed?

Hello,

Could we get specific and precise requirements on the expected Secure Boot variables' states for each of the 4 steps of the revocation (adding CA 2023, replacing Boot Manager, revoking PCA 2011, updating SVN)?

For each of these steps, is the scheduled task expecting any specific state such as:
- Secure Boot variable update date (datetime of when the variable was initialised, eg. with: Set-SecureBootUEFI -Time ...)
- Secure Boot variable content: what is the minimum set of certificates/hashes required to start the 4-step update? Are there any more needed than MS KEK 2011 in KEK, MS Production PCA 2011 in DB and up-to-date hashes in DBX?
- Secure Boot variable content GUID: is there a hidden requirement for Microsoft certificates and DBX hashes to be under EFI signature lists with GUID 77fa9abd-0359-4d32-bd60-28f4e78f784b?
- SVN verification: When applying step 4, are there any other system changes than boot manager identifiers being added to the DBX? For example 01612B139DD5598843AB1C185C3CB2EB92000007000000000000000000000000 to ensure bootmgfw.efi with version 7.0.

I have seen strange behaviors of the DBX not being reachable anymore through GetFirmwareEnvironmentVariableA when MS certificates were not added with the previously mentioned GUID for example. I'd like to know if any requirements on the system are checked through the scheduled task but not documented online.

Thank you