My company has around 2000 servers on VMWare that we need to make sure that get updated.  We don't want to rely on Microsoft to eventually roll out these updates.  I know the February AMA discussed that there might be some tools coming out in March that might help with automating some of this. 

I just spent about 2 hours or so with our server team just going through this process to update these machines manually.  I mean this is asking a lot to have us touch each server, coordinate with folks on their production servers so that we can shut them off, update the NVRAM file, then reboot them about 2 additional times before we get the 1808 event ID that tells us all is well and good. 

I also have a script that supposedly audits our servers and tells us if the certs are active.  I just looked at a few machines where it says the certs are active and it gives it a "pass" on the report, but when I go to the registry under secure boot, the status is set to "not started", there are also no event IDs present for TPM/WMI.  I mean maybe things  updated a while ago, but shouldn't I see "updated" in the registry and not "not started".   Can someone verify what we should see in the registry w/ regards to this just for verification purposes?

There is so much confusion over what we need to do.  We've spent probably too much time looking at Microsoft documentation on this trying to figure out what to do.  My boss doesn't want to wait things out and risk critical servers to have issues with booting at some point.  Also, going through 2000 servers with a team of about 5 of us is also a lot to ask to make sure certificates are installed and active.  There has to be an easier way to do this.