This is an intentional re-submission from yesterday to ensure people see it and plan for changes this week. Please let me know if any parts need expanding or if anything is missing. I've only done this on a half dozen machines and they were all Linux.
Perhaps you could mention that, alternatively, one can rely on TPM with Heads and a hardware key for verified boot. In this case, no proprietary software is involved.
That sounds like a good idea. Can you recommend a really good document I could link to that could walk people through switching from the M$ Cert secure boot to the non proprietary methods? Ideally one you have gone through on a few machines.