I already reported a similar behavior the March session of ¨Ask Microsoft Anything: Secure Boot". To which you replied properly an issue with the confidenceLevel - as you did too in the link you put.
My machine was also using Windows 10 ESU.

I believe the coincidence of those machines using Windows 10 ESU is simply they are older machines that don´t have recent firmware update and thus outdated default certificates, and maybe not able to update the KEK.

I ended up going your workaround 1, disabling the related task from the TaskScheduler.

But the real solution I got to update all current certificates is using Mosby:

https://github.com/pbatard/Mosby
(from the creator of Rufus)

This wonderful tool is running from a usb key, so independently from the OS. It creates a new PK, then sign the KEK and update all certificates to 2023.
Obviously, Mosby it bypassing the OEM recommendation and ConfidenceLevel keys, but for older machines without any support, I believe it is a great solution.

I wish Microsoft would recommand this or propose alternative solutions for older machines, e.g. using the default Windows OEM KEK as from https://github.com/microsoft/secureboot_objects/releases as suggested here: https://github.com/cjee21/Check-UEFISecureBootVariables/issues/31

There should be no difference between Windows 10 ESU and Windows 11. We have not seen any differences in the behavior across the versions of Windows based on diagnostic data. I think your intuition that ESU devices are typically older devices that can't move to Windows 11 is a good one. Most behavior issues we've see have been due to firmware.