This is odd. The aforementioned bucket hash lists as High Confidence in the 2026-03 version of C:\Windows\System32\SecureBootUpdates\BucketConfidenceData.cab (Generic_OEM_3.json), yet it is missing in the detailed bucked confidence lists published by Microsoft at https://github.com/microsoft/secureboot_objects/tree/main/HighConfidenceBuckets which are, as I understand it, supposed to match the lists shipped in this update.

So for one part, it explains why the automatic LCU tried to apply those updates on your machine.

It does not, however, explain why that hash appeared on that list, despite the machine obviously being unable to cope with the consequences of even just installing one Windows 2023 certificate. And it does not describe why this hash is missing in the detailed listings.

Perhaps Arden_White​ can shed some light on this?