do son 
Although support for Windows 8 has long since ended, Windows 11 still retains UEFI digital certificates issued during the Windows 8 era. These certificates, issued by Certificate Authorities (CAs), serve the purpose of signing and validating other certificates.
The CA certificates and cryptographic keys reserved by Microsoft at the time were issued in 2011, while Windows 8 was officially released in 2012. These CA certificates have a validity period of 15 years, meaning they are set to expire in 2026.
Once these outdated CA certificates expire, it could result in critical components—such as bootloaders, drivers, firmware, and other essential system elements—failing to authenticate their integrity and validity. To prevent such issues, Microsoft is preparing to update the CA certificates.
In the Windows 11 KB5034765 and Windows 10 KB5034763 updates released in February 2024, Microsoft has already begun the process of updating these certificates. Additionally, the company now offers a standalone PowerShell script designed to assist IT administrators and professionals in updating CA certificates seamlessly.
This new set of CA certificates, referred to as Windows UEFI CA 2023, allows IT administrators to update the Windows Boot Manager’s certificates, ensuring compatibility with the latest security standards.
The script supports updating the certificates for various bootable media types, including:
- ISO CD/DVD image files
- USB flash drives
- Local drive paths
- Network drive paths
To execute the update, Windows ADK (Assessment and Deployment Kit) must be installed in advance, as the script will not function without it. Once the necessary preparations are complete, the script can be utilized to successfully apply the certificate updates.
