Event details
If Dell won't provide a signed KEK update to Microsoft for those devices (probably because they cannot), Windows will not be able to update the KEK.
In my experience, Dell devices often have an option in their firmware setup to enroll a DB or KEK certificate from an USB key manually. You can try by putting
https://github.com/microsoft/secureboot_objects/blob/main/PreSignedObjects/KEK/Certificates/microsoft%20corporation%20kek%202k%20ca%202023.der on a FAT32 formatted USB key and trying to import it as KEK. This should make the secure boot update continue and complete successfully.
Still, from an economic standpoint, you have to decide whether spending a few minutes on each device manually is worth the effort or whether you would be better off replacing the devices.
Thank you for the response and giving me something to try. I have about a dozen machines that will probably need this workaround (hope it works). So, not hundreds or thousands. But unlike a general user's 4-core Optiplex from 10+ years ago, these are workstations that have 12 or 14 cores. Are they as powerful as an equivalent new machine? No, but they still do what we need them to do, and do it pretty well. So, a few minutes, assuming the fix works, is well worth my time. Thanks again. I'll report back when I've had a chance to try.
In case that option is not there, feel free to take and share photos of which Secure Boot options are there, maybe there is another way we can get that KEK in.
And in general, before messing with Secure Boot options, it is a good idea to suspend BitLocker (if in use).