Are you by chance using "consumer" models? My "enterprise" level PCs, starting with models of the intel 6th gen era, up to 12th gen, have been smooth-sailing secure-boot wise. I didn't interact with any older model.

I run Arch (which isn't signed by MS like Ubuntu / Fedora) and sign the bootloader with my own key that I've generated myself. On some computers where I need to dual-boot with Windows, I've signed MS's Windows key (not the third-party one) with my key. Everything has always worked fine, including automatically upgrading the UEFI over the network from the UEFI itself, installing Windows 11, etc.

I never needed to disable Secure Boot (apart from initial Arch install) or sign any HP-specific key. The only thing that "breaks", but that's expected and HP warns you during the update, is that whatever relies on measuring the UEFI image will break. That's typically the case with BitLocker (mentioned specifically) and LUKS.

Just the built-in update process... It doesn't always find the latest version, ie lags behind the website by weeks sometimes. Then when it checks for updates and finds there isn't a new version available, it offers you to downgrade to the previous version but apart from the text being a bit different, the blue button below still says "UPGRADE", so the first time I accidentally started a downgrade. So it started flashing the BIOS, then something like the nic firmware, then came to the Intel ME firmware and suddenly said "uh no, I cannot downgrade that" and just aborted the whole update process. No idea if it would've kept flashing other stuff after the ME, and evidently it didn't break anything, but holy crap that looks like a half-arsed feature.

There's a very good chance they changed their update procedures, but when I last ran the update I needed to run a special .efi file that would handle the flashing.

For what it's worth, I consider the HP Probook line to be excellent in terms of both durability and support. They may not be three millimetres thick like their competition but design wise they're quite alright, the machines are quite sturdy for their weight class. Their repair guide has very detailed step by step instructions on how to replace parts as well as listings of known replacement part product numbers which are great for finding replacement fans.

I think I've received at least seven years of UEFI updates, which is about 6 more than I expected for the price. HP graphics drivers actually got updates and they offer a way to keep track of updates through email without having any crapware installed. The UEFI itself is also one of the best I've used, miles ahead of the Lenovo one. The ability to browse EFI partitions and navigate to an image of your choice is excellent and I can't believe I haven't seen this on other brands.

Enrolling keys, however, required clearing the certificate cache. I could reset it back to factory settings and load the default Microsoft keys, but for their custom updaters I would need to disable secure boot or find the key they used and import it. Hardly a deal breaker, that's just how Secure Boot is supposed to work, but still something to think about when designing an updater process.

On newer models, you also have to "clear the certificate cache" to enroll your own keys. But there's an option on the same page like "reset to factory defaults", which reloads the MS keys and such.

The manual UEFI update is indeed a bit cumbersome, especially since the downloaded archive seems to be some windows executable. And, in my case, I don't remember I could navigate in the partitions, it would just complain that it couldn't find the update if it wasn't in the right directory.