It's not always easy to do (and Microsoft could always exempt themselves from surface devices) - I think the spec only requires that it is possible, not that there is a nice dialog box in the bootloader to do it (unfortunately).
Specifically, what I'd do is: disable secure boot, copy shell.efi and keytool to the ESP, add a boot entry for the shell.efi entry, always useful, then boot to it, run keytool, clear the PK - voila you are in setup mode and should be able to change everything.
Be aware that once you set a platform key, updates to any key database are checked for valid signatures. Updates to the KEK must be signed by PK, updates to the DB, DBX must be signed by the KEK, etc. If there's no dialog, you might also want to back up the keys, if you want to set the machine back to its factory default setting.
I can imagine Microsoft might not have enabled this level of control for their surface devices, although as I understand their HCK, they should. Perhaps they exempt themselves :(
You need to put the device into setup mode first, which should be possible by disabling secure boot then deleting the platform key. Then you can update the DB, then KEK and finally PK using keytool.efi. There's many guides on the process, see for example: https://blog.hansenpartnership.com/owning-your-windows-8-uef... and https://www.rodsbooks.com/efi-bootloaders/controlling-sb.htm....
Specifically, what I'd do is: disable secure boot, copy shell.efi and keytool to the ESP, add a boot entry for the shell.efi entry, always useful, then boot to it, run keytool, clear the PK - voila you are in setup mode and should be able to change everything.
Be aware that once you set a platform key, updates to any key database are checked for valid signatures. Updates to the KEK must be signed by PK, updates to the DB, DBX must be signed by the KEK, etc. If there's no dialog, you might also want to back up the keys, if you want to set the machine back to its factory default setting.
I can imagine Microsoft might not have enabled this level of control for their surface devices, although as I understand their HCK, they should. Perhaps they exempt themselves :(