For devices that specifically require a firmware update, should we expect Windows Update to provide that firmware, or should we proactively start pushing firmware to those devices?  

We have a fleet of HP EliteBook 600 series, G9/G10/G11, and initial testing has all of them throwing Event ID 1802 in the System event log - 'The Secure Boot update Option ROM CA 2023 (DB) was blocked due to a known firmware issue on the device. Check with your device vendor for a firmware update that addresses the issue.'

Updating the firmware on the devices in question allows the certificate update to complete, and we eventually get Event ID 1808 in the System event log.

tl;dr -Who is handling firmware updates?  Microsoft or individual customers?  If it's Microsoft, will these updates install as part of a monthly LCU?  Our organization currently blocks driver updates via Windows Update.