Our test/devel/pre-prod systems are set up to perform automatic updates during the week-end and reboot.
Five of them couldn’t boot this morning, they displayed “bad shim signature” before loading the kernel. They are all vmware VMs with EFI and secure boot. The workaround that saved the day was to disable secure boot.