neowin[.]net/news/kb5053484-microsoft-shares-new-powershell-script-for-updated-windows-1110-boot-media/
support.microsoft[.]com/en-us/topic/updating-windows-bootable-media-to-use-the-pca2023-signed-boot-manager-d4064779-0e4e-43ac-b2ce-24f434fcfa0f
support.microsoft[.]com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
Back in early 2023 the Black Lotus malware hit. It caused Windows devices to revert to an earlier, insecure Secure Boot key that had been revoked, taking advantage of that key to load malware before Windows started. By doing so it made it very hard to detect and remove that malware. Microsoft's proposed fix is/was to replace the allowed & revoked keys currently stored in the BIOS firmware with a new set of keys stored on the Boot partition of Windows devices. They've been working on it since then and still aren't there yet, though it looks like they're getting closer. It's potentially a big deal because once enabled the new setup would break every bootable USB stick that had been created before the changeover. And once implemented, updating the BIOS firmware is expected to break Windows -- they've come up with a way to create a repair USB stick to get things working again. Finally, Microsoft has also found that their new boot loader setup will not work with every system BIOS.
Currently the web page dealing with this update says further guidance is coming in the future to detail how to get a working bootable USB stick or optical disc/ISO. As Neowin points out however, Microsoft has now published a PowerShell script "to update Windows bootable media so that the media can be used on systems that trust the “Windows UEFI CA 2023” certificate." It says it requires updated source media, but there's no guidance on using an installed copy of Windows, whether an ISO downloaded today would need to have updates applied first etc. And of course it does not say whether that would break a bootble USB stick for example for systems that do not have the new boot loader setup turned on.
What I can tell you is that the latest Windows ADK from December, 2024, will allow you to create a WinPE USB stick that will boot a PC without the new protections enabled. And an ISO prepared from the same WinPE source files will boot a VirtualBox Win11 VM that has UEFI, Secure Boot, & TPM 2 enabled, and has had this protection turned on since it was available in 2023. WinPE is the basis for most every bootable USB stick created by apps like AOMEI Backupper, so developers can update their software if they choose to do so.
learn.microsoft[.]com/en-us/windows-hardware/get-started/adk-install
Lastly, the January, 2024, Windows fixes included new files/folders in Windows\ Boot\, in a sign that more changes are, if eventually, coming. The original page detailing this stuff still does not have a projected enforcement date.