Event details
I asked them the same question. As far as I understand, the old boot images will continue working during PXE Boot, as long as the old certificates (the ones from 2011) are present in the UEFI store. If the old certificates are revoked, we need to create new boot images, possibly using new Windows ADK.
MicrosoftCorrect. And as called out in a few of my other answers (which you may or may not have seen) we have no intent to revoke the old certs as that serves no purpose and would cause widespread issues.
A key point in all of this to keep in mind is that the certs expiring has no immediate impact whatsoever. Nothing signed by these certs becomes invalid or untrusted just because the certs expired. Unless or really until we release an updated boot critical component that requires signing--which must be done with the new certs--nothing changes. When this does finally happen (as I'm sure it will happen at some point (but can't say how soon that will be) that's the time when that new component won't be trusted by devices without the new certs and thus they won't be able to install that new component. Again, components signed by the old certs, whether they be in a full OS instance or a WinPE boot image, are and will still be fully trusted--nothing changes for them.
Jason_Sandys​ How is Windows 10 LTSC, Win10 IOT LTSC, and Windows 11 IOT LTSC affected by the certificates? Will the new 2023 certificates be install on these devices? Win10LTSC and Win10 IOT LTSC should still be getting windows updates without the extended licensing. Thank you.
They received the Secure Boot certificates just as any other supported platforms. I have access to a Win 10 LTSC machine where they could be installed without problems, and I believe the other mentioned LTSC platforms behave the same (although I have currently no access to machines using them)
