Oke so we’re pretty much trying to get it in control. So I am wondering the PK (platform key) isn’t present in our hypervisor version at this moment. What does this mean for the whole chain?

cause we have a well guided plan aligned with Microsoft their approval. But after running the workflow 0x5944 , en you go to 0x4100 and after a while you get the 0x4000. This means the flow is done. After this you have the remaining 0x280 (revocation of PCA2011 , and applying SVN). After this you are done. 

reading the march update there is this line: 

KB5079473

Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.

could you tell us more about this? - my guess is that you need telmetry on to have this nice feature/support?