Event details
I have one more question.
I successfully tested the update on a representative group of devices. The entire procedure completes correctly — the certificates are properly enrolled into DB and KEK, and the Boot Manager is signed with the new certificate.
However, the BIOS still does not contain the new certificates in dbDefault (and KEKDefault), and I am not sure whether a future BIOS version with such configuration will ever be released.
Should I proceed with the deployment to the remaining machines?
Is there any potential risk in having the new certificates present in DB while they are not present in dbDefault?
Yes, proceed with deployment.
The risk is users who are able to enter UEFI setup and mess with Secure Boot settings (set them to default) or reset all UEFI settings to default.
If the 2023 cert used to be installed in DB and the new boot manager is used, this will result in a machine that will not boot unless you either disable Secure Boot or boot the machine from securebootrecovery.efi. Also it will require a Bitlocker Recovery Key if Bitlocker is used (protected with TPM PCR 7+11 and maybe others) after having done either one of these.
Therefore, your support staff should know about this potential issue so that they can help the "curious" user get the machine working again. It may be good practice to protect the firmware setup of such machines with a password to avoid this scenario.