Less a question more a comment, for future rollouts of this type, it would be really nice if the "high-confidence" value wasn't waiting until the month of the certificate expiration before being applied. While you have consistently stated "don't worry, we're handling it" it is worrisome to be less than 30 days out from the expiration and not having most of our devices (running new firmware versions, with the certs in place from those updates) running with the new certificate yet.

Additionally, the reporting from Intune only recently started working as well as the rollout of the settings catalog/config profile was plagued with 6500 errors.

Azure Virtual Desktop Session Hosts does not KEK update, just errors with Firmware_Unknown.  States it cannot update Azure VM's. Is this true? whats the alternative

Thank you for the session. Most of my questions have been answered.

We have Intune managed endpoints, Azure Virtual Desktops and Azure Virtual Machines to managed with a combination of Intune and GPO.  A mixture of these machines have secure boot turned off. Will those machines become inherently vulnerable, and not updated if they were to have secure boot turned on at a later stage?

What determines if a device falls into the High Confidence bucket? We have lots of older model devices that are high confidence but most of our newer models have not.

When should I tick this box on my sccm boot image?

We have a small number of remote devices with no local IT support where Secure Boot is currently disabled. Will the KEK and DB updates still be applied to the bios on these devices while Secure Boot is inactive, or does the update process strictly require Secure Boot to be enabled to write the new certificates?

What determines if a device falls into the High Confidence bucket?

On OEM devices that are not getting firmware updates, how do we update the cert manually and a suggested way to roll out enterprise environment if they are not in high confidence bucket after june update? setting the registry key to x5944 moves to in progress but the device is in the temporarily paused bucket 

Since we're June and most device confidence level is still not High Confidence, should we do the cert update ourselves via the registry key so that we're done on time?

So one of our servers is "up to date" with the secure boot certificate, but we did nothing to it to update. How do we know which servers Microsoft is updating? Other VMs in the same host are not able to update because it looks like of some firmware update. Which is weird because the one that is up to date is on the same VM Host.