I manage a configuration Manager environment with about 50k endpoints. We deploy Windows via PXE boot and a OSD Task Sequence.
We're trying to get the latest certificates onto our computers but there will most likely be some computers that we won't reach to update in time. 

1. Will PXE boot still work for both computers we've updated with the new certificates and computers that only have the "Microsoft Windows Production PCA 2011" as long as that certificate is not in DBX. Even after it's expiration date (October 19)?

2. Would you advice NOT to update bootloaders in PXE to use the "Windows UEFI CA 2023" certificate until all computers have the new certificates?