I have reproduced this and can confirm it only affects 4.8 kernels. I have a Ubuntu 16.04 system with secure boot enabled, and the 4.4 kernels were enforcing it. Installing and rebooting into the linux-image-generic-hwe-edge kernel (4.8.0-34.36~16.04.1-generic) and everything before the kernel thinks secure boot is enabled, but the kernel does not and freely loads unsigned modules.
I have reproduced this and can confirm it only affects 4.8 kernels. I have a Ubuntu 16.04 system with secure boot enabled, and the 4.4 kernels were enforcing it. Installing and rebooting into the linux-image- generic- hwe-edge kernel (4.8.0- 34.36~16. 04.1-generic) and everything before the kernel thinks secure boot is enabled, but the kernel does not and freely loads unsigned modules.
$ cat /proc/version_ signature
Ubuntu 4.4.0-59.80-generic 4.4.35
$ mokutil --sb-state
SecureBoot enabled
$ sysctl kernel.secure_boot
kernel.secure_boot = 1
$ cat /proc/version_ signature 36~16.04. 1-generic 4.8.11
Ubuntu 4.8.0-34.
$ mokutil --sb-state
SecureBoot enabled
$ sysctl kernel.secure_boot
kernel.secure_boot = 0