Applying the fix for KB5025885 (CVE-2023-24932)

In reference to this article: https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

In late August, I created a series of scripts that perform the steps described in the article. This worked fine for 30 to 40 PCs over the next few weeks. I stopped as I had other tasks to attend to. Today, I decided to resume. A Surface Go 2 and a Lenovo E590 both fail to apply it.

• Both machines have the latest 2024-10 Cumulative Update (newer than is required).
• Both machines are Secure Boot enabled.
• Both machines are rebooted twice before proceeding to the next step (e.g. making a registry change).
• Both machines return "false" to both Get-SecureBootUEFI commands (which verify whether applying the fix was successful), for a total of 8 reboots.
• Machines in which my scripts were successful still return "true" for both Get-SecureBootUEFI commands.

Has something changed?