Event details
Since Microsoft can only update the active UEFI database does anyone know what the behavior will be on older systems that aren't getting a BIOS update to put the new certs in the default UEFI database? Specifically, let's say you do a "restore defaults" from within the BIOS and the 2011 certs from the default database overwrite the new certs in the active database after the 2011 certs have expired. Will the system still boot?
It does not matter whether the certs have already expired, it only matters if you already got the 2023 bootloader. If the new bootloader is already installed (which started happening for some machines with February 2026 LCU) and you reset to system default, your system will not boot but show a secure boot error. You will then need to boot from a USB key with securebootrecovery.efi which will update the one certificate needed to get the system booting again (Windows 2023 certificate in DB), the rest will be fixed from the booted system.
See "Device fails to boot after resetting Secure Boot" in the Troubleshooting Guide:
https://support.microsoft.com/en-us/topic/secure-boot-troubleshooting-guide-5d1bf6b4-7972-455a-a421-0184f1e1ed7d#bkmk_common_failure_scenarios_and_resolutions