Hello :)

In Intune I've set 

Configure High Confidnece Opt Out - Disabled
Configure Microsoft Update Managed Opt In = Enabled

The only policy I haven't enabled is... 

Enable SecureBoot Certificate Updates = Enabled (as this will actually force the certificates to deploy). As we don't have a way to easily target this ie there is no entra group property Secure Boot ready = yes that we can make a group for and deploy, it is either deploy to all, or manual groups which will take ages in a huge environment. 

As I understand, with the top two policies, the devices are being checked for confidence and when it is high, Microsoft are switching the reg key to set the update to happen. Is this correct or I mis understand? 

I have the remediation check running which is checking compliance however most are Confidence = Under Observation - More Data Needed and it's Not Started. These are all devices like Dell Latitude 5550, 5430, 5450, etc etc nothing obscure. 

Is there something more I should be doing at this point? BIOS updates are being done, Secure boot is on so not sure why it still isn't moving forward?

Thank you. :)