Yeah I am pretty certain you are tbh, I think you mixing up uefi certificate updates with root kits that are part of the factory image or other installed bloatware from the manufacturer.

Now if you were talking about vpro or other low level management I could believe it, but thats intel and avoidable…