We have rolled out a script to set the Secure Boot registry value AvailableUpdates = 0x5944 and trigger the Secure Boot update scheduled task across ~10,000 devices with Secure Boot already enabled.

The script executes successfully; however, a subset of devices prompts users for the BitLocker recovery key after reboot.

We are trying to proactively prevent this scenario for end users.

We reviewed documentation referencing Secure Boot Event ID 1032 as an indicator of possible recovery prompts, but this event is not present on affected devices prior to reboot.

Our questions:

Is there a reliable way to proactively determine whether a device will request a BitLocker recovery key during the next reboot after applying Secure Boot DB updates?

Are there supported methods to detect potential Secure Boot / firmware trust-chain update failures before reboot so they can be remediated automatically?