Event details
How does Microsoft see what is needed for PXE boot with WINPE/MDT/SCCM etc?
After the 2011 certs expire is it correct to assume that the installation of Windows 11 via pxe boot etc is still working? As long as the bios fw has the 2011 (and 2023) certs available?
So nothing needs to be changed towards boot images signed binaries unless the device only has 2023 certs in fw?
Also that means that after fresh install of W11 you always need to update the 2023 certs in Windows boot manager to get the security updates?
Is this the case till we get a W11 version which is signed with the 2023 certs and requires boot images to have the 2023 signed binaries? So in this case you need to update the pxe/winpe/boot images?
I asked them the same question. As far as I understand, the old boot images will continue working during PXE Boot, as long as the old certificates (the ones from 2011) are present in the UEFI store. If the old certificates are revoked, we need to create new boot images, possibly using new Windows ADK.
- Jason_Sandys
Microsoft
Correct. And as called out in a few of my other answers (which you may or may not have seen) we have no intent to revoke the old certs as that serves no purpose and would cause widespread issues.
A key point in all of this to keep in mind is that the certs expiring has no immediate impact whatsoever. Nothing signed by these certs becomes invalid or untrusted just because the certs expired. Unless or really until we release an updated boot critical component that requires signing--which must be done with the new certs--nothing changes. When this does finally happen (as I'm sure it will happen at some point (but can't say how soon that will be) that's the time when that new component won't be trusted by devices without the new certs and thus they won't be able to install that new component. Again, components signed by the old certs, whether they be in a full OS instance or a WinPE boot image, are and will still be fully trusted--nothing changes for them.
