Event ID 1795 should include an error code that might be useful to diagnose this (Not all 1795 are equal).

For the KEK update to work, the OEM needs to submit a signed variable update with the new KEK that is signed with the Platform Key. and upload to Microsoft's secureboot_objects repo on GitHub. A list of all platform keys they have received (even those that did not make it into the January CU) with their thumbprint is available at 

https://github.com/microsoft/secureboot_objects/blob/main/PostSignedObjects/KEK/kek_update_map.json

You can check the Subject and Thumbprint of the used platform key on affected machines that did not reload the factory keys, by installing and importing UEFIv2 Powershell module and running:

(Get-UEFISecureBootCerts pk).Signature | Format-List Subject,Thumbprint

If the thumbprint has already been submitted to Microsoft, it will probably be part in one of the subsequent updates and therefore the KEK update may work. If the KEK update causes a firmware error, the OEM might push a firmware update to fix this. So time can fix this.

The most likely case for a vendor like Lenovo to release a firmware update but not submit a signed KEK to Microsoft would be that they simply lost the private key to the PK used in those firmware versions. You can check on a machine that already uses the new factory keys (or by looking at pkdefault instead of pk if the firmware exposes that variable) if it uses a PK with different thumbprint. If yes, that is a telltale sign.

In that case, automated fixing is not possible (if the machine has an active TPM, which it probably has if it is Win11-supported). If Lenovo pushed a firmware update that either updated PK or KEK, it would invalidate PCR7 of the TPM and in case Bitlocker uses that PCR to seal their keys you would end up in Bitlocker recovery (which is a tedious manual step as well). And as long as they cannot sign a new KEK update with the PK as they lost it, Microsoft cannot do anything either.

That's exactly what Secure Boot tries to prevent.