I think I need to start following the GCHQ blog.
https://www.ncsc.gov.uk/blog-post/automating-uefi-firmware-updates
We were surprised that many of the devices were running out-of-date firmware
Wow.. the GCHQ were surprised by this?!
Unfortunately, Dell, HP and Lenovo don’t currently update UEFI firmware through Windows Update. Instead, they all offer their own enterprise management tools for UEFI firmware. HP and Dell also publish catalogues of UEFI firmware updates for their platforms.
I think they’re referring to older hardware here. The current (6th) generation Lenovo X1 Carbon receives UEFI updates via Windows update. I was surprised to find it running what appears to be a DOS (CLI) utility to do it, but the update itself was delivered (and therefore cryptographically signed by Lenovo and Microsoft!) via Windows update. I believe this is also the case with the current generation Dell XPS.
So, as a result of this work, we are updating our Windows 10 EUD guidance to explain how you can automate your own UEFI firmware updates. Look out for the guidance later this month and let us know if you find our approach useful.
Firmware Security 