Event details
We are considering a script that sets HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 0x5944 and starts the \Microsoft\Windows\PI\Secure-Boot-Update task.
Can you confirm exactly what this does, and what the risks are of doing this manually or at scale?
On incompatible firmware it may result in system freezes, Secure Boot errors on next boot, or devices requiring Bitlocker recovery at next reboot.
On most devices it will just work fine.
So make sure you have some resources available for handling the broken devices (e.g. walk to them to reboot them or enter bitlocker keys). You might also disable/suspend BitLocker during the update although this is not officially suggested by Microsoft.