Event details
We have several devices without 2023 cert in default db where we expect to reset secure boot and reinstall past June 2026. I understand it's possible to install 2023 cert post June 2026, but will Windows Update automatically install 2023 cert past June 2026 since you won't get security updates for boot manager and secure boot via Windows Update past that date?
When performing the reinstall, make sure that you use an ISO that still uses the old boot manager (or it won't boot). As of now, all publicly available ISOs do that, so it depends on how many months/years after June 2026 it will be. As a result, the installed Windows version will also use the old boot manager, but will boot and get LCU without issues.
Once you have done so, the machine will not be different from a machine that has been installed in the past and has not been booted for months/years. So, the next available LCU update will run the Secure Boot scheduled task again and apply the certs. (Just like it will apply any pending Secure Boot DBX updates even if the updates came out mid-2025 and you did the reinstall in 2026)