Background... I've found Very little concrete info on how this will all work out. Microsoft has published that PCs/laptops that do not get the updated secure boot certificate will still work with Secure Boot turned on, but if Microsoft updates the boot loader &/or secure boot related files in the future, those devices will not get those updates. The newer secure boot certificates must be stored in the BIOS, which is the firmware that manages all the components so the box of connected parts actually boots into Windows [or Linux]. Microsoft's secure boot update software apparently can store the newer certificate in the BIOS, **Sometimes**, e.g., as evidenced with our older Lenovo laptop. When that does not work A) nothing will happen, or B) it ***might*** mess up Windows or the BIOS -- I had to restore a backup image of Win11 on our old AIO after running the secure boot update test procedure Microsoft published. Microsoft is collecting data on which devices can be successfully updated to the newer certificate, with the assumed goal of not trying to update incompatible PCs, avoiding that sort of problem. But of course this is Microsoft, so S*** will happen. Depending on the BIOS -- the options offered in individual BIOS settings menus vary -- you may be able to update the secure boot certificate stored in the BIOS itself.
h30434.www3.hp[.]com/t5/Business-Notebooks/Enabling-new-UEFI-2023-CA-certificates-in-pre-2018-HP/td-p/9628370
Now, when it comes to the bootable USB sticks created with backup & partitioning apps, Windows setup etc., boot files that recognize the newer certificate will *probably* be needed to boot devices that have received the secure boot certificate update. Creating those USB sticks after that certificate update has been applied will **probably** add whatever is needed to that USB stick, since the files responsible for booting are *usually* copied from the Windows folder itself. It will *probably* be possible to copy the necessary files from the Windows folder to the USB stick rather than recreating the USB stick, or when the app you're using does not copy those files from Windows. There is also a PowerShell script [without documentation] to create bootable USB sticks/drives on Microsoft's secure boot GitHub page.
github[.]com/microsoft/secureboot_objects/releases
Where it's likely to get iffy is for folks like me that have newer PCs with the new certificate and older PCs without it. A bootable USB stick with the certificate update might not boot devices without it, and those USB sticks without the update might not boot PCs that have received it, meaning that I may now need 2 versions of each bootable USB stick I have & might use. I have not found a guaranteed, definitive answer, so I'm making sure I have disk image backups of each & every one, since the only way to create the older version would be using a PC/laptop without the update. Anyway, maybe something to think about.