Windows Boot Manager not updated

my attempts to receive information on this situation weren't successful.

My concerns are high that once this certificate expires, > billion devices of Windows Server and Clients with Secure Boot will be affected.

So far from the "documentation" on techcommunity I cannot see any solution that works easy and at scale.

Plus it likely requires BIOS updates to update Secure Boot in the UEFI logic, which we all know will not happen for all devices. Either because OEMs do not provide updates AND / OR customers and consumers do not push out UEFI updates at scale on their devices.

If these assumptions are true, the Crowdstrike issue would be declared a shadow of a problem in severity and scale compared to this.

More information about patching Secure Boot can be found in this collection and blogpost

This is about WinRE and WinRE patching, but also spans on Secure Boot patching. Quite long stories.
https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/blog-guidance-for-windows-recovery-partition-winre-patching-and/m-p/4129384/highlight/true#M11545

SochiOgbuanya  could you please help to clarify?

I strongly agree with sfijndata that Windows Server 2025 should be deployed with the correct certificate, out of the box.