Precise details of the signing service are up to Microsoft and I'm honestly not aware of their policies. The blacklist is a UEFI variable that can be modified with appropriately signed updates - they'll be pushed out to users via the normal security update mechanisms.
no subject