This is opt in policy that enterprises need to enable to be opted into Microsoft Managed Controlled Feature Rollout of certificate updates.   Note that, this requires enabling Diagnostics data to enable Microsoft to have visibility to the device bucket to enable the Microsoft managed rollout.

Refer to following links

Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support for details on the policy

Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support for Intune based policies

Configure Windows diagnostic data in your organization - Windows Privacy | Microsoft Learn  for how to configure diagnostic data

Hi jbennett,

MicrosoftUpdateManagedOptIn is not enabled by default. You must enable it and ensure that the devices are sending Diagnostic data. This works for client versions of Windows. If you are managing server or IoT devices, you should be sure to focus on getting those updated.

Arden