Hi Matt,

AvailableUpdates is the mechanism that actually causes Secure Boot certificate updates to be applied. The key always exists, and when it remains at its default value of 0, Windows is not being instructed to apply updates. There is no need to explicitly configure it to 0 in this scenario.

However, some delivery paths can set AvailableUpdates on your behalf.

High Confidence updates are one of those paths. When a device is identified as eligible for a High Confidence update delivered via the LCU, Windows can automatically set AvailableUpdates unless you explicitly opt out.

Setting HighConfidenceOptOut=1 prevents the High Confidence feature from setting AvailableUpdates automatically. Without this opt-out, High Confidence processing can still trigger certificate deployment even though you have not intentionally enabled deployment.

For managed deployments:

• Enabling the Enable Secure Boot Certificate Deployment GPO sets AvailableUpdatesPolicy, which in turn sets AvailableUpdates.
• Microsoft Intune behaves the same way by setting AvailableUpdatesPolicy, which then drives AvailableUpdates.

So, if your goal is to fully prevent any automatic Secure Boot certificate deployment and manage rollout entirely yourself, you should:

• Leave AvailableUpdates at its default value
• Set HighConfidenceOptOut=1

This ensures that High Confidence processing does not implicitly trigger certificate deployment.

Hope this helps clarify what you are seeing.

Arden