![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 22%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPJ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 90%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQQ%3C/text%3E%3C/svg%3E)
Dear Priya Jayaraman,
To have Windows automatically deploy updated Secure Boot certificates, only Enable Secureboot Certificate Updates must be enabled. This is the core setting that triggers the certificate deployment task on each device. The other two options are not mandatory: Configure High Confidence Opt-Out is used only if you want to block automatic deployment through monthly cumulative updates, and Configure Microsoft Update Managed Opt In is for organizations that wish to participate in Microsoft’s controlled rollout program, which requires diagnostic data sharing. If your goal is simply to ensure certificates are updated automatically across IT‑managed devices, enabling option 1 alone is sufficient.
Option 2 should remain disabled unless you explicitly want to prevent automatic deployment on devices Microsoft has validated. Option 3 is optional and only relevant if you want Microsoft to manage the rollout centrally; otherwise, you can rely on your own Intune deployment. In practice, most enterprises enable option 1 and leave 2 and 3 at their defaults, unless they have a specific compliance requirement to control rollout behavior.
If my answer is useful for you, please hit Accept the answer to support me.
Thank you,
QQ,