Event details
What exactly makes the clients to have high ConfidenceLevel, so that they receive the SecureBoot Cert. Update with monthly Windows updates?
If a client doesn't receive the new certificates with Windows updates until June, shall we attempt to force the installation with the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates?
What is the official Microsoft's recommendation regarding Firmware Updates: shall we update the client's Firmware prior to installing new Secure Boot Certs or is it irrelevant?
MicrosoftThank you for your question. Microsoft is doing Controlled Feature Roll out on Consumer devices grouped by device attributes into a unique device bucket (Caled BucketID). BucketId represents group of devices that behave similarly when certificate updates are applied. If Microsoft observe enough evidence of successes within a bucket, respective device group is marked as High Confidence in the public Confidence Database (BucketConfidenceData.cab). If a device is identified as High Confidence, certificates will be automatically installed as part of monthly Security updates Microsoft release every Patch Tuesday.
For devices that are not visible to Microsoft, Enterprises need to take action. Microsoft recommend testing on few similar machines that represent your environment before applying the policy broadly. For devices that have known issues, have been blocked and you will see an error 1802 under TPM-WMI source in System event log indicating update could not be installed due to known issue. For most issues, OEMs may already have firmware updates available. If OEM has new firmware update available, recommended to install the latest available firmware updates to unblock the certificate updates.
Refer to Understanding Secure Boot Events 1802 and 1803 - Microsoft Support for details about known issues preventing the certificate updates.