Hiya!
Not really an IncusOS-specific bit and I think the pool of folks in this scenario is small but figured it wouldn’t hurt to highlight here (particularly if there is a rise in folks wondering why they suddenly need to enter their recovery key).
Microsoft is rolling out new certs in a windows 11 update that—at least in the case of my multiboot system—reset my TPM.
I distribute my own cert chain signed with my own platform key, and had already included both the old and new Microsoft KEKs and db keys. And yet after installing the latest preview update, I found my TPM had wiped and I had to use my IncusOS recovery key.
Just another reason why the backup is essential.
More info on the cert rollout: Microsoft is keeping Secure Boot alive with Windows updates | The Verge