We use Intune + WUfB only and haven’t enabled any Secure Boot policies. ~40% of devices have already updated or are in progress, ~60% aren’t ready yet.

My understanding is:

• We can do nothing and let Windows Update handle this, which is probably the lowest risk option, but gives us the least certainty that everything will be done well before the 2026 deadline.
• Or we can enable Intune Secure Boot policies to try and push things along, but there’s no guarantee it actually speeds things up, and it could introduce risk on devices that aren’t fully ready (firmware/BIOS, etc).

Is that understanding correct?