Several questions:

1. If the computer manufacturer is not planning on supporting or releasing a BIOS/firmware update to include the new certificate and we have Secure Boot enabled, what happens when the certificate expires in 2026 and we are unable to update it and policy states we are not permitted to disable Secure Boot nor is that feasible across the number of devices?
   
   1. Will the computer no longer boot to Windows?
   2. Computer will still continue to function as normal as it is today?
   3. Can we still reimage the device using SCCM?
2. If we apply the 0x5944 registry value on updateable systems, are we still able to network boot them with our existing WinPE to image them with SCCM?
   1. If WinPE needs updating, which version of the Windows 11 ADK/WinPE add-on will include the updated certificate or is this a manual process?
      1. If this is a manual process to update WinPE/WDS/SCCM, what is the MS supported documented process for doing so?
   2. Somewhere I read indicated that it wasn't WinPE that needs updating but the SCCM RemoteInstall boot files needs updating, but not sure where to get the required files containing the new certs to update WDS/SCCM or how to do so in a supported manner across multiple DPs.
3. If we update the WinPE or WDS/SCCM files to support the new certificate, does that mean only the devices that got the new certificate will be network bootable for reimaging with SCCM and those devices that did not get the certificate will stop imaging or will both be supported and working?
   1. Our SCCM needs to support imaging of devices both with the new certificate and those older vendor unsupported devices that aren't getting the firmware updates. This should not include deploying any additional WDS/DP servers for supporting these hardware.