If you select to push the certificate update through GPO / Intune, with the policy Enable Secure Boot certificate deployment / Enable SecureBoot Certificate Updates

How far does the process go?

As I understand it, there 4 steps
1. DB is updated with certificates
2. Boot manager is updated to use the new certificate
3. Old 2011 certificate is untrusted in DBX
4. SVN is updated

My concern is step 3, because that causes the machine to no longer trust ones current pxe boot image, and it’s not ideal that happens at some random time.

Does the GPO / Intune setting go through all 4 steps in a matter of x reboots, or are the last steps something that happens in a windows update?