Event details
Several questions:
- If the computer manufacturer is not planning on supporting or releasing a BIOS/firmware update to include the new certificate and we have Secure Boot enabled, what happens when the certificate expires in 2026 and we are unable to update it and policy states we are not permitted to disable Secure Boot nor is that feasible across the number of devices?
- Will the computer no longer boot to Windows?
- Computer will still continue to function as normal as it is today?
- Can we still reimage the device using SCCM?
- If we apply the 0x5944 registry value on updateable systems, are we still able to network boot them with our existing WinPE to image them with SCCM?
- If WinPE needs updating, which version of the Windows 11 ADK/WinPE add-on will include the updated certificate or is this a manual process?
- If this is a manual process to update WinPE/WDS/SCCM, what is the MS supported documented process for doing so?
- Somewhere I read indicated that it wasn't WinPE that needs updating but the SCCM RemoteInstall boot files needs updating, but not sure where to get the required files containing the new certs to update WDS/SCCM or how to do so in a supported manner across multiple DPs.
- If WinPE needs updating, which version of the Windows 11 ADK/WinPE add-on will include the updated certificate or is this a manual process?
- If we update the WinPE or WDS/SCCM files to support the new certificate, does that mean only the devices that got the new certificate will be network bootable for reimaging with SCCM and those devices that did not get the certificate will stop imaging or will both be supported and working?
- Our SCCM needs to support imaging of devices both with the new certificate and those older vendor unsupported devices that aren't getting the firmware updates. This should not include deploying any additional WDS/DP servers for supporting these hardware.
Microsoft-
These certificates allow Microsoft to apply security updates to Secure Boot and boot manager components. These certificates allow Microsoft to apply security updates to Secure Boot and boot manager components. If the new certificates are not in place, this will no longer be possible. We are finalizing the defined behavior and will share full details before the change takes effect
- Yes. System will continue to boot existing boot media including network boot after the certificates are updated by applying 0x5944 registry key. If Secure Boot revocations are applied to firmware to revoke older versions of boot manager, it will require updating all boot sources to new Boot manager.
- Yes. If boot media such as WinPE or USB is updated with the new Boot Manager, the device can only boot from this updated media if the new certificates are already applied to device firmware.
Does applying the 0x5944 registry key apply the Secure Boot revocations or does this only apply the new cert, but leaves the old cert in place?
And is Microsoft planning on revoking the old cert at some point in the future?
rparmar500x5944 will only add new certs without revoking any existing old certs.
When you say "future security updates cannot be applied," do you mean monthly cumulative updates will fail to install entirely, or will just the potentially bundled updates to Secure Boot / Boot Manager be skipped?
1. So the boot process will not be affected after the certificate is expired. But if we set the registry key to 0x5944 after it is expired, then the result always fail?
