Windows 11 certificates

Question

MIcrosoft has made it clear their secure boot key is expiring, My Dell XPS 9570 UEFI was updated a while ago but AFAIK my machine spews no errors installing Windows 11 25H2. Windows 11 seems to more stable but updates and other issues push me to install Windows clean.

My i7-8750H is strong. I installed 32GB DDR4-3200 and the WD SN580 2TB handles the OS and applications. AFAIK this machine with the UHD LCD is still way better than more recent trash with poor graphics quality. UHD panels are expensive.

I hope Dell keeps the certificate updates available in case of a problem.

ejn63 · Answer

Details are here https://www.dell.com/support/kbdoc/en-us/000390990/secure-boot-transition-faq No, that system will not be getting updates -- it is end of life.

HedgeFundManager · Answer

I am only worried about the Dell OEM certificate as MIcrosoft is able enroll new keys to the TPM transparently.

I have all security features enabled such as secure boot. Machine came with Windows 10 which can use secure boot as well.

I have discovered BlackLotus as a possible hazard. CVE-2022-21894

Tesla1856 · Answer

@HedgeFundManager​ ,   1. I am only worried about the Dell OEM certificate as MIcrosoft is able enroll new keys to the TPM transparently. 2. I have discovered BlackLotus as a possible hazard. CVE-2022-21894 1. Not sure which one you mean ... - there is a KEK for the motherboard - there is a PK ... sometimes one or both of those has Dell's name in it. I would have to see a proper report. Remember ... without a recent BIOS update ... if anything is missing from DEFAULT database, you will never get them added there. However, you can (usually sometimes) eventually get them added to CURRENT database.   2. CVE vulnerabilities are usually resolved with an actual BIOS-Firmware update.

XPS

Windows 11 certificates

Was this post helpful?