Doing this is to only allow Windows to boot and prevent other OS from booting. Maybe your OEM drivers use this CA? Pls note that Windows bootloader does NOT use Microsoft UEFI CA.
This settings may cause problem in WinRE. Change it to The user can’t add a Microsoft account.
If you are using Yubikey, enable Computer Configuration\System\Local Security Authority\Allow Custom SSPs and APs to be loaded into LSASS
I’m not sure if there’s warning mode on IoT Windows.