Which installations are affected because of Microsoft Secure Boot Keys Updates? - dcasota/Lenovo83BY GitHub Wiki

Nowadays, desktop and laptop manufacturers include the required certificates for Secure Boot within the firmware of pre-installed Windows 11 operating systems. They maintain these certificates through firmware updates, which users should install. This might be new information for many non-power users. If the required firmware updates are applied along with Microsoft Security Updates, users will likely notice little difference, which is the goal.

It's unlikely that the removal of the old Root Certificate "Windows Production PCA 2011" will be performed on existing hardware, as it would prevent the operating system in its original purchased state from starting. For Linux-only systems, this issue does not arise regarding the old Root Certificate "Windows Production PCA 2011."

Users who want to secure their system will likely need to perform this task manually. This also applies to updating the Recovery Drive.

Additional scenarios that may require manual intervention include:

• Offline systems

• Cloned hard drives or changes to the EFI System Partition

• Adding a second hard drive and/or TPM2.0 chip post-purchase

• Dual-boot Windows/Linux configurations

• Type-1 or Type-2 Hypervisors on desktop/laptop

• Custom certificates

• Activating UEFI SBAT revocations

There may be other scenarios in the regression tree as well. In Linux, you can use tools like systemd-ukify and sbctl, to the best of my knowledge. Encrypting, decrypting, and re-encrypting a hard drive under UEFI in these 7 scenarios poses similar challenges to those encountered with closed-source Windows.