I have several questions regarding devices that lack supported firmware (End-of-Life hardware or devices where the firmware hasn't been updated) and therefore do not have the Windows UEFI CA 2023 certificate integrated.

Q1: I understand these devices will continue to boot after June 2026 even with Secure Boot active. However, what happens if there are changes e.g. to bootmgfw.efi or the underlying hardware? What would be the impact? Can we let such a device live until HW dies to avoid replacemet still good working HW?

Q2: When does Microsoft plan to add the original 2011 certificate to the revocation list (DBX)? If/when this happens, what will the consequences be for these legacy devices?

Q3: If a firmware update for an older machine is released after June 2026, will it be possible to install/deploy the new certificate manually at that point?

Q4: Can we expect to see a Secure Boot certificate status report integrated into the Microsoft Defender for Endpoint console?