There have been devices that forbid disabling SecureBoot or enrolling your own keys, and only boot loaders that microsoft signed are allowed to boot.
Further, I’ve seen systems that have a setting to not allow the non-microsoft stuff to boot, even if signed by the usual secureboot authority. So there may be a device out there hard set to only allow microsoft software to boot.
There have been devices that forbid disabling SecureBoot or enrolling your own keys, and only boot loaders that microsoft signed are allowed to boot.
Further, I’ve seen systems that have a setting to not allow the non-microsoft stuff to boot, even if signed by the usual secureboot authority. So there may be a device out there hard set to only allow microsoft software to boot.