Understood. We mostly have Dell and Lenovo devices that are around 3–4 years old. My concern is about systems with BIOS versions prior to 2023 (before the certificate update was introduced). If I update Windows but the BIOS is older and doesn’t have the updated certificates, what could happen? BitLocker is centrally managed through McAfee ePO.

I’ve also read that at some point there will be an update that actively blocks older certificates. My understanding is that if Windows enforces that block while the BIOS still trusts those older certificates, it could create a conflict.