Event details
- If we are deploying the AvailableUpdates 0x00005944 registry value (either directly or indirectly via admx / AvailableUpdatesPolicy) and everything applies successfully, leaving (as stated in the IT Pro guidance) just the 0x00004000 "modifier" for the potential Microsoft Corporation UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 cert installation - how important is it that that value stays at 0x00004000 after the process is done? For example, if, months later, we want to take the extra step of adding the Microsoft Windows Production PCA 2011 cert to the DBX (BlackLotus mitigation), which requires setting AvailableUpdates to 0x00000080, after which it would end up back to 0x0. Does it matter?
- If the addition of the Microsoft Corporation KEK 2K CA 2023 cert is being denied and a BIOS update is not available from the OEM, is it possible that it will start working over the next few months without a BIOS update needed as a result of an update to KEKUpdateCombined.bin via monthly Windows Update?
- Will any devices that have the same Platform Key behave the same in terms of accepting / denying the new KEK cert update, irrespective of BIOS version?
- Our main OEM, Lenovo, has said they will provide BIOS updates for all commercially supported devices. For Lenovo that support period is about 6 1/2 years after release, meaning there are several generations of devices out there that still meet all the requirements for Win 11 (including CPU minimum) but possibly won't be able to take the updated KEK cert? What will happen to those devices after June 2026? If they cannot sign updates to the DB and DBX, what is the implication? Will regular Windows Cumulative Updates fail to install if they have a DB or DBX update piece?