Event details
For devices that have been offline for an extended period, or newly imaged devices that may have been sitting on a shelf for months, what should we expect regarding the Secure Boot certificate updates?
My understanding is that the Secure Boot update process will still run once the device is updated, and that devices whose default Secure Boot databases (DB/DBX) still contain the 2011 certificates will ultimately receive the 2023 certificates through the update process. Is that correct?
Additionally, if a device already ships with the 2023 certificates present in the firmware's default Secure Boot databases, how long should it take before the Windows bootloader transitions from using the 2011 certificate chain to the 2023 certificate chain? Is there a specific trigger or state change required for that transition?
For example, I have a device where the BIOS shows the 2023 certificates are present, but the bootloader still reports that it is using the 2011 certificates. Is that an expected intermediate state, and if so, what exactly does it indicate about the device's Secure Boot configuration? Or are we overthinking the distinction between the firmware certificates and the active bootloader signing chain?