How will the WinPE boot image (from the ADK) be affected by these changes? If it will be updated, will it continue to work on systems that have not yet installed the updated certificates?

I'm curious when checking to see if the new 2023 certs for Secure Boot get updated, why would we only be checking this cert?  [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’.  This is the "How to Audit Secure Boot Configuration" portion on this page https://support.microsoft.com/en-us/topic/windows-configuration-system-wincs-apis-for-secure-boot-d3e64aa0-6095-4f8a-b8e4-fbfda254a8fe

Several questions:

1. If the computer manufacturer is not planning on supporting or releasing a BIOS/firmware update to include the new certificate and we have Secure Boot enabled, what happens when the certificate expires in 2026 and we are unable to update it and policy states we are not permitted to disable Secure Boot nor is that feasible across the number of devices?
   
   1. Will the computer no longer boot to Windows?
   2. Computer will still continue to function as normal as it is today?
   3. Can we still reimage the device using SCCM?
2. If we apply the 0x5944 registry value on updateable systems, are we still able to network boot them with our existing WinPE to image them with SCCM?
   1. If WinPE needs updating, which version of the Windows 11 ADK/WinPE add-on will include the updated certificate or is this a manual process?
      1. If this is a manual process to update WinPE/WDS/SCCM, what is the MS supported documented process for doing so?
   2. Somewhere I read indicated that it wasn't WinPE that needs updating but the SCCM RemoteInstall boot files needs updating, but not sure where to get the required files containing the new certs to update WDS/SCCM or how to do so in a supported manner across multiple DPs.
3. If we update the WinPE or WDS/SCCM files to support the new certificate, does that mean only the devices that got the new certificate will be network bootable for reimaging with SCCM and those devices that did not get the certificate will stop imaging or will both be supported and working?
   1. Our SCCM needs to support imaging of devices both with the new certificate and those older vendor unsupported devices that aren't getting the firmware updates. This should not include deploying any additional WDS/DP servers for supporting these hardware.

• If we are deploying the AvailableUpdates 0x00005944 registry value (either directly or indirectly via admx / AvailableUpdatesPolicy) and everything applies successfully, leaving (as stated in the IT Pro guidance) just the 0x00004000 "modifier" for the potential Microsoft Corporation UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 cert installation - how important is it that that value stays at 0x00004000 after the process is done? For example, if, months later, we want to take the extra step of adding the Microsoft Windows Production PCA 2011 cert to the DBX (BlackLotus mitigation), which requires setting AvailableUpdates to 0x00000080, after which it would end up back to 0x0. Does it matter?
• If the addition of the Microsoft Corporation KEK 2K CA 2023 cert is being denied and a BIOS update is not available from the OEM, is it possible that it will start working over the next few months without a BIOS update needed as a result of an update to KEKUpdateCombined.bin via monthly Windows Update?
• Will any devices that have the same Platform Key behave the same in terms of accepting / denying the new KEK cert update, irrespective of BIOS version?
• Our main OEM, Lenovo, has said they will provide BIOS updates for all commercially supported devices. For Lenovo that support period is about 6 1/2 years after release, meaning there are several generations of devices out there that still meet all the requirements for Win 11 (including CPU minimum) but possibly won't be able to take the updated KEK cert? What will happen to those devices after June 2026? If they cannot sign updates to the DB and DBX, what is the implication? Will regular Windows Cumulative Updates fail to install if they have a DB or DBX update piece?

Is it true that Hyper-V Gen 1 VMs are not affected by this issue?

Our devices are on Intune but we use a third party patch management software for updates.

Is there a specific update name to look out for to make sure the patching software does deploy this update? Or will the SB cert be deploy as part of future Windows Cumulative/Security updates as well?

Of course, we will need to make sure the devices BIOS are updated to the latest version before such deployment can occur.

"For Windows running long term in a VM, the updates can be applied through Windows like any other devices, if the virtualized firmware supports Secure Boot updates."
- What do you mean by "Windows running long-term in a VM"
- How can I determine if my VMs are long-term?

Does this have any relation with Defender ASR rule 'Block rebooting machine in Safe Mode'? https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-rebooting-machine-in-safe-mode

1. What's the easiest way to determine if a device is compliant to below two prerequisites, to receice automatic secure boot certificates updates? Does Microsoft provide a "quick check", which can be run on a device?

"The system shares diagnostic data + is managed by Microsoft Cloud or Intune"

2. Looks like updating virtual machines by using the "AvailableUpdates" Registry Key (value 0x5944), currently results in an error state  (see details in the Secure Boot playbook for certificates expiring in 2026 - Windows IT Pro Blog comments)

• The certs are up to date except for current "Microsoft Corporation KEK 2K CA 2023"
• Status of UEFICA2023Status Registry Key = "InProgress"
• UEFI2023Error Registry Key  = "800703e6"
• Event log ID 1796 error "The secure boot update failed to update a secure boot variable with error invalid access to memory location"

Question 1: Is this a know error, which Microsoft / Broadcom are working on?
Question 2: The "Microsoft Option ROM UEFI CA 2023" DEFAULT certificate has not been updated by this process. Is Broadcom responsible to do so and will this happen by installing a new version of VMware tools?

3. According to https://support.microsoft.com/en-us/topic/frequently-asked-questions-about-the-secure-boot-update-process-b34bf675-b03a-4d34-b689-98ec117c7818 a device will continue to boot, if it does not have the new secure boot certificates updated, after old certificates exipres in June / October 2026, but "it will no longer be eligible to receive security fixes related to the Windows boot manager updates or Secure Boot".

What does this mean in detail and how to bring a device back to a compliant state?

Just 3 questions:

• Will we need to update the WinPE build media and Windows Install Source Images if the device has the new certs installed (or the old have expired)?
• Will the Windows Install process update the Certs if the Windows Install source media has been updated and the device has not?
• Will any future cumulative patches that require new certs for a security vuln patch also force the upgrade of the cert if the device has yet to be updated?