Then it can’t be booted with new media. Microsoft has been very, very slow with the automatic rollout of their own key updates, and made just about no progress over the past two years. It’s been manual updates + newly produced systems only.
The trick here is that they have a key-exchange-key that can be used to update the other keys. That doesn’t expire (or rather, not in a meaningful way). But, a Windows image is still only going to boot on a system that trusts the key that was used for it. If you make a Windows image on a 2011 system now, it’s going to be signed with the 2011 key, and it won’t boot on a system that distrusts that key. The same is true in reverse.
Their key update documentation is all available and some enterprises have been on the new key for a while, but it’s a lot of manual work and a lot of problems have popped up, most documented in there. How they’re going to roll this out automatically to normal users isn’t obvious to me. There’s technically nothing stopping a system from trusting both the 2011 and 2023 keys, and I wouldn’t be entirely surprised if they end up never pushing the 2011 revocation.
The keys they use for their own OS don’t truly expire until late 2026, and I expect they’ll do their best to delay it until then, but the next time they have to update their boot manager is going to be painful and introduce all kinds of new problems.
https://ec.europa.eu/commission/presscorner/detail/en/ip_25_1339
Everything regarding enforcement is early stages but what they’re aiming for is much more specific than chat control and is based on existing wording in the Digital Services Act.