In Microsoft's page regarding Secure Boot, MS is only requiring the 2023 keys plus "Microsoft Corporation UEFI CA 2011":
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11#14-signature-databases-db-and-dbx
The "Microsoft Corporation KEK CA 2011", "Microsoft UEFI CA 2011" and "Microsoft UEFI CA 2011" will expire in June 2026, while "Microsoft Windows Production PCA 2011" expires October 2026.
These old certificates have security vulnerabilities (Golden Key, Black Lotus) and backdoors and I heard their hashes are already in the dbx rendering them useless.
I recommend removing them with the exception of "Microsoft Corporation UEFI CA 2011" to prevent device bricking and also to comply with MS requirements.
In Microsoft's page regarding Secure Boot, MS is only requiring the 2023 keys plus "Microsoft Corporation UEFI CA 2011":
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11#14-signature-databases-db-and-dbx
The "Microsoft Corporation KEK CA 2011", "Microsoft UEFI CA 2011" and "Microsoft UEFI CA 2011" will expire in June 2026, while "Microsoft Windows Production PCA 2011" expires October 2026.
These old certificates have security vulnerabilities (Golden Key, Black Lotus) and backdoors and I heard their hashes are already in the dbx rendering them useless.
I recommend removing them with the exception of "Microsoft Corporation UEFI CA 2011" to prevent device bricking and also to comply with MS requirements.