You can Secure UEFI64-boot to agFM on the E2B USB drive because it uses the Kaspersky bootx64.efi signed grub2 shim file. This boot file originated from Kaspersky and was signed by Microsoft as being 'Secure'. However, it contained a loophole which allowed us (via some clever programming) to load unsigned modules and hence an unsigned version of grub2 (e.g. grubfm or agFM or Ventoy, etc.).
A year or so ago, Microsoft released a KB Update which added a 'blacklist' entry into the UEFI BIOS non-volatile RAM of the Windows system UEFI firmware. This is called the DBx (or dbx) list and it can usually be found in your UEFI BIOS settings.
The DBx list was specifically intended for this purpose - to blacklist boot files which Microsoft had signed as 'Secure' but later turn out to be not as 'secure' as they thought!
The update provided by Microsoft immediately caused a lot of issues on certain Secure Boot OEM systems which also used this same EFI boot file (Lenovo?, HP?) and thus the update prevented them from booting after it was installed! Microsoft quickly withdrew the Windows Update and left their victims to try to rescue their secure but unbootable systems.
Now it seems Microsoft have tried again (KB4535680 2021-01-12) but the new Windows update is only applied to certain systems (and probably only those that boot via UEFI and have GPT partitions on the boot disk):