Yes, it's by default enabled so long as platform can support SB so you do not need to touch it. If certificates need enrolling they are enrolled regardless of the BIOS setting so when you enable SB everything just works. Your proposal to look at the current BIOS state is a proposal to break this.