Event details
I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.
I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.
---
All MS is doing (for now) is adding new certificates and not revoking any of the 2011-era certs. To clarify, are the main reasons Microsoft is being so cautious with the rollout (A) tripping bitlocker recovery and (B) triggering code defects in device firmware (and how severe are we talking)? Are there other (bigger) reasons? Root CA programs update their CA anchors all the time and never is it this big of a deal. Why/how is secure boot unique?
The main reason why 2011 certs are not "blanket" revoked, in my opinion, is that there are lots of recovery media out there (e.g. created by third-party full-disk backup software) that would fail to boot once the 2011 cert has been revoked. And Microsoft does not intentionally make it hard for users to restore their data.
If your company is aware, they can flip the bit so that the 2011 certs are revoked as well. It is just not happening through CFR or LCU (yet...).