I'd like clarity on who (MS or OEM) has responsibility for what in this update.  From what I gather both have to be involved to get it done, but even then the user may have to do some manual work.  It seems way to complicated and unreliable for something Windows is trying to enforce on everyone.

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

Microsoft has said in many places that they're rolling out the updates to Home and Pro systems but this doesn't explain how Windows Server systems will get these updates rolled out. Due to hardware differences between (most) uses of Windows client and (most) uses of Windows server, Windows client SKU CA/KEK update telemetry won't help inform Windows server SKU CA/KEK updates. What's the phasing plan for WS?

---

Edit: MS kinda covered this question in the February AMA at timestamp 27:22, YouTube ID EscGJTKHPdw.

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

Microsoft has said in many places that they're rolling out the updates to Home and Pro systems before Enterprise versions of Windows. But MS hasn't been clear on how fast or slow they're releasing the updates to these device populations. Is it a dice roll on each individual device? Are any "randomized updates" increasing with each LCU or with time-bomb logic? Is it a single gate for an entire bucket all at once? Something else? All of the above?

How are buckets transitioning to high confidence? Microsoft says they need to see enough devices take the update before they mark a device/bucket high confidence, so is this a lottery? Can't have the latter without the former.

---

Edit: I found this PDF which explains the transition in a bit more detail. Page/slide 10. I assume "WIP" means Windows Insider Program.

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

A lot of the discussion has been around how Windows is helping roll out these updates but please expand on how Microsoft is helping our open-source (Linux et al) friends in ensuring these updates are happening ecosystem-wide.

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

Why did the Intune secure boot readiness report only release in 2026? Should've been deployed years ago.

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

Microsoft is leading the rollout of these new certificates but even Hyper-V (at time of writing) won't support the KEK updates until March at the earliest. Why does Microsoft seem unprepared for these updates at the first-party level? Doesn't this compromise the "secure by default" mission? If Microsoft isn't keeping their own platform up to date, why would we expect all other OEMs will be ready in time for the expiration dates?

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

Please expand on the role of "default" vs "active" secure boot variables, what the general practice of firmware vendors is, and what this means for IT pros.

---

Edit: MS covered this question well in the February AMA at timestamp 15:44, YouTube ID EscGJTKHPdw.

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

The promise of UEFI was to make things more standardized and easy. Why then does this seem like such a complicated update with so many moving parts? Does it boil down to things like OEMs being ... frugal ... on how much NVRAM they install on systems or taking too many liberties with the specs?

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

In the web PKI, the "leaf" certificates can be easily chained back to the root CA/trust anchor. If UEFI were sensible, the same thing would be done with secure boot and we could avoid needing to deploy separate KEK and DB/CA certificates and simply include a signed chain (up to the KEK) with every bootmgr. Why don't we? Does it all come down to revocation checks being impractical (but isn't that the case anyway and why we have a DBX)? What's the engineering challenge that makes what we're doing now the "least worst" option?

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

This question/comment comes with 20/20 hindsight.

In the web PKI, general practice is to replace CAs LONG before they expire to allow plenty of time to transition. Why did industry take so long to start replacing these certs? Would have been better to start replacing these certs back in 2018 or 2019 at their half-life.

In case you didn't notice, hardware has become expensive and (for some customers) it's harder and harder to ask for budget just because devices are long in the tooth. Rolling out these keys/certs back in 2018/2019 would have made this far less of an issue when it comes to hardware lifecycles.