Is there an Official Rollback option incase of any booting issues after updating?

In order to do the secure boot certificates updates, do I need to follow the vendor's steps on updating secure boot certificate? For example, dell has a website that states pre-requisites that it need tpm 2.0 and windows server 2022 or later then able to update the secure boot certificate. Is it necessary to follow or I can proceed to update the secure boot certificate via registry keys or the playbook that you provided?

Will the clients still boot after June if no steps are taken?

How do we confirm that a Windows device is actively booting using the Windows Boot Manager signed by the 2023 Secure Boot CA , rather than just having the 2023 certificates present or staged in firmware?

So just to confirm is it "Basic - required" or do we need "full - optional diagnostic data"?

We have an issue where vmware vm servers upgraded via ipu from 2012 to 2024 are failing with a tpm error when running the windows-secure-boot-update scheduled task so they don't get the event id 1808, newer 2022 servers don't have that issue and have the same configuration. None of the servers have tpm enabled in vcenter. Can you confirm that secureboot is enabled by running 

Confirm-SecureBootUEFI = True, even though the event id 1808 doesnt show.

The new panel in Windows Security is supposedly released in April LCU, but I don't have the new UI.  My secure boot status shows green but i dont have the new certs.  Did the update get pulled from the April LCU?

have you published published a mandatory DBX enforcement date that is explicitly tied to the 2011 certificate expiry yet?  Or can you indicate roughly when this is likely?

Can you explain more about error event 1795 and 1797? all the necessary prerequisites are met including recommended firmware version and secure boot state enabled

What are the possible impact after Jun/26 for those devices that were unable to get Certs or updates at all?