Searching for that phrase "Microsoft UEFI CA must be removed from Secure Boot DB" returns a link to a Microsoft presentation at UEFI Plugfest 2016 [1]
It doesn't directly say why that requirement was introduced, though one could gather from the context that it's being done for security. But perhaps more interesting is that both this presentation and the MSDN page you linked also talk about enterprises being able to control what runs on the hardware themselves. Your MSDN page has:
>Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots.
... and the presentation has:
>Security Certificates added to my device are documented and justified, with a pre-defined security response plan.
So I wonder if the reason is just "We wanted to make it convenient for enterprises to not have to do a pre-provision step to remove the UEFI CA, so instead we mandated OEMs to not enable it in the first place."
It would be extremely silly if that turned out to be the reason...
There are vulnerable bootloaders signed with the UEFI CA. Disabling less heavily vetted CA on devices that are being sold as basically hardened, makes sense. But yeah, one aspect of it might be making it easier for enterprises, that's a large focus.
Well that's what the revocation list is for, but yes I can imagine choosing the nuclear option of just dropping the CA is attractive because it's less work for everyone involved.
It was a leading question, answer to which only you can know based on your threat model. I did however say what you can do if you don't trust Microsoft, which also makes the question quite irrelevant.
It doesn't directly say why that requirement was introduced, though one could gather from the context that it's being done for security. But perhaps more interesting is that both this presentation and the MSDN page you linked also talk about enterprises being able to control what runs on the hardware themselves. Your MSDN page has:
>Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots.
... and the presentation has:
>Security Certificates added to my device are documented and justified, with a pre-defined security response plan.
So I wonder if the reason is just "We wanted to make it convenient for enterprises to not have to do a pre-provision step to remove the UEFI CA, so instead we mandated OEMs to not enable it in the first place."
It would be extremely silly if that turned out to be the reason...
[1]: https://uefi.org/sites/default/files/resources/UEFI_Plugfest...