As indicated by our OEM, we're updating firmware on all devices that have an older version not including 2023 certs, before to assign the Intune Secure Boot CSP. 
But the firmware update process is complex, long and it can't be done by June 2026. 
from different sources, it's suggested to DO NOT proceed adding to CSP configuration devices with older firmware, without 2023 Certs. Is this true? 
Also, the majority of devices, even with updated firmware, are still in the "Under observation" confidence level bucket. We haven't seen it changing with latest CUs. Since this is May CU, we can expect that confidence levels will continue to be updated during the rest of the year, even after June ? 
In general, what are the guideline before June ? Use the Intune CSP only on devices with updated firmware - or add as much devices as possible and trust the Confidence Level check?