I'm hoping someone from Microsoft can clarify a conflict regarding Secure Boot certificates. I've heard two things that seem contradictory: First, Microsoft has stated in multiple AMAs that once the 2011 certificates expire, the 2023 certificates can still be added to the KEK and DB without changing the update process. Second, Microsoft claims that devices without the new 2023 certificates will face a degraded security situation and won't be able to receive new security updates for the DB and DBX after the expiration. If we can add the 2023 certificates post-expiration, why can't we also receive future security updates?
2 Answers
You'll definitely be able to add updates, but getting the 2023 certs in place is a must beforehand. Think of it as a prerequisite—install that first and then you're good to go!
If your system is using Secure Boot but the vendor hasn't released a BIOS update (like with ESXi 7), the system should still boot. However, it will be running in a degraded security mode, meaning it won't have the latest security measures. You're essentially running on outdated security. Just keep in mind that while it will operate, you're missing out on crucial updates.
So, if I understand you correctly, even without the newer certificates, my system can still boot up, but I just won’t have those security enhancements? That’s kind of a worrying thought!