Post-expiration behavior for 3rd Party / Option ROM CAs

When the Microsoft Windows Production PCA 2011 expires in June 2026, the migration path to "Windows UEFI CA 2023" is well documented for the boot manager. However, the situation is much less clear for the "Microsoft Corporation UEFI CA 2011" (3rd Party UEFI CA) and its Option ROM counterpart.

On many Secured-Core systems, the "Allow Microsoft 3rd Party UEFI CA" BIOS setting is disabled by default, so the 2011 3rd Party CA is absent from the Default db store and Windows Update never injects its 2023 equivalent ("Microsoft UEFI CA 2023").

What is the supported remediation for customers who reach June 2026 with the 3rd Party CA never migrated — for example fleets running Linux dual-boot, third-party Option ROM hardware (RAID, GPU, NICs), or pre-OS tools signed by the 3rd Party CA? Is there an official guidance document specific to the 3rd Party / Option ROM CA migration, equivalent to what exists for the Windows boot manager?