There are several approaches that can work for offline environments. If the devices are typical client machines such as desktops or laptops, they will usually receive the Secure Boot certificates automatically through the monthly cumulative updates if they are identified as high confidence devices. Another option is to manage the deployment directly by instructing the devices to install the certificates through Intune, Group Policy, or registry-based configuration.

It is important to monitor each device in your fleet to understand its current status. Several registry keys and event log entries report the state of the Secure Boot update process. These documents are being updated this week, so check the Change log on each page for the latest information.

Building a dashboard that tracks these signals will help you understand how the deployment is progressing. In particular, watch the BucketConfidenceLevel in Event 1801, since it indicates whether the device qualifies as a high confidence system for automatic updates.