support.microsoft[.]com/en-au/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
TL;DR... Microsoft reports compatibility problems with the changes that they're making to Secure Boot. If those issues are not solved, and Microsoft goes ahead with plans to make their changes to Secure Boot mandatory, Secure Boot will have to be turned off on incompatible devices. In some cases turning Secure Boot off could be challenging, since many people are not familiar with changing BIOS settings, and/or how to get into the BIOS settings to make changes. [You poke a straightened paperclip into a pinhole on my wife's Lenovo laptop for example.] I'm posting this now, well in advance of Microsoft *Enforcing* Secure Boot changes, because tracking down BIOS documentation on older devices may take some time.
In More Depth
PCs use something called a BIOS to basically inventory a device's components and tie them together so that everything works in unison as a PC, and then it starts or runs the boot loader for the OS, e.g., Windows. With Win7 Microsoft started switching Windows to optionally work with BIOS that used UEFI, which means that the BIOS runs a sort of mini Linux OS. The main advantage to users is that it allows booting to a GPT drive partition >2TB. Any OS is hackable, and in 2012 Microsoft introduced Secure Boot with Win8, which compares the boot loader with a database of known good values before it will start or run that boot loader. That database is stored with the BIOS firmware, and includes both known good & bad [revoked] values for Secure Boot to match. In 2023 cyber criminals figured out how to make Windows Secure Boot revert to using older, insecure key values to defeat Secure Boot's purpose. Microsoft's proposed fix is to store a larger database -- too large to fit in the BIOS limited storage -- on the boot partition, setting the BIOS to use that database for Secure Boot instead of the self-contained version. And it presents some problems...
Microsoft's been working on this for over a year, introducing a reworked framework with the April 2024 security updates to make it more workable, but there's still little in the way of guidance for USB bootable devices -- once this is enabled none of today's USB devices will boot. Another hassle is if a device's BIOS is compatible with the change, resetting the Secure Boot keys to the factory values, which may be necessary when/if updating the BIOS firmware, or if/when the BIOS automatically resets after a crash due to improper settings, a special procedure is required to create a rescue USB stick to boot Windows so it can then be repaired. [Note: AFAIK it's unknown whether that process will work for devices that can boot to more than one OS, & I have doubts.] And some devices will require a BIOS firmware update to be compatible, which is Not going to happen for older hardware -- it may not happen if the hardware is no longer on store shelves.
Initially Microsoft released this fix on an Opt-in basis -- if you wanted it you could enable it yourself. Hopefully they'll come to their senses and keep it that way, rather than flip a switch some day and cause chaos. That said, if they do force it, not having Secure Boot's protections because you turned it off isn't the end of the world -- it's one of those things that you might as well use since it's there, but IMHO it's not likely something you'd pay for and/or go through too much effort to set up. The malware exploit this fix guards against isn't [at least currently] something that a remote attacker can just enable on your PC -- you have to actively go out and get infected by malware first -- and it's not the worst possible malware you can become victim to.
wikipedia[.]org/wiki/BIOS
wikipedia[.]org/wiki/UEFI
nsfocusglobal[.]com/secure-boot-101-getting-started-with-secure-boot/
Short discussion on what Secure Boot is/isn't:
github[.]com/pbatard/rufus/wiki/FAQ#user-content-Why_do_I_need_to_disable_Secure_Boot_to_use_UEFINTFS