I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

All MS is doing (for now) is adding new certificates and not revoking any of the 2011-era certs. To clarify, are the main reasons Microsoft is being so cautious with the rollout (A) tripping bitlocker recovery and (B) triggering code defects in device firmware (and how severe are we talking)? Are there other (bigger) reasons? Root CA programs update their CA anchors all the time and never is it this big of a deal. Why/how is secure boot unique?