Event details
For devices that don't use autopatch (on networks not connected to Internet) will the CU have the information bundled in it to automatically kick off the high confidence deployment?
From January CU release notes:
Windows quality updates include a subset of high confidence device targeting data that identifies devices eligible to automatically receive new Secure Boot certificates
This seems to indicate applying the CU on its own is enough for this subset of devices, Windows Update/Autopatch connectivity not needed?
MicrosoftInstalling the January cumulative update does include the high confidence targeting data for some client devices, and the number of high confidence devices will increase over the coming months. This allows Windows to identify many devices that are eligible to automatically receive the new Secure Boot certificates without requiring Windows Update or Autopatch connectivity.
However, this applies only to the subset of devices covered by the high confidence data included in the update. It is still important to monitor deployment results in your environment. Event 1801 can help indicate when a device needs attention.
Devices that fall outside the identified high confidence subset require customer‑managed deployment, and this is especially true for servers and IoT systems. These device types are not expected to receive automatic updates and must be updated manually using the guidance in Secure Boot Certificate updates: Guidance for IT professionals and organizations.