Tag: Secure Boot

  • Microsoft June 2026 Patch Tuesday: High Stakes & Hidden Features

    Microsoft June 2026 Patch Tuesday: High Stakes & Hidden Features

    Key Takeaway

    – June 2026 Patch Tuesday is a critical compliance milestone due to June 24 expiration of legacy UEFI Secure Boot certificates.
    – Unpatched devices will lose the ability to receive future boot security updates, including Windows Boot Manager and revocation list updates.
    – CVE-2026-42897, a high-severity XSS vulnerability in Outlook Web Access for on-premises Exchange, is now permanently patched.
    – Major Windows 11 features include NPU monitoring in Task Manager, Shared Audio via Bluetooth LE, and Multi-App Camera support.
    – Users can now set custom local user folder names during clean Windows 11 installations.

    Rollout of June 2026 Security Bundle Begins

    Microsoft has officially begun rolling out its June 2026 Patch Tuesday update bundle, turning a routine monthly security deployment into an essential compliance milestone for enterprise networks. Because legacy 2011-era Third-Party UEFI Secure Boot certificates begin their scheduled expiration cycle on June 24, IT departments are using this update window to finalize validation across their device fleets.

    New Features for Everyday Users

    While enterprise administrators are focused on long-term boot compliance, everyday Windows 11 users will receive a collection of new, officially documented features. Rather than holding quality-of-life upgrades back for a traditional annual operating system version milestone, Microsoft is using this mandatory quality update to deliver sweeping platform improvements to general system performance, hardware diagnostics, and peripheral management.

    Critical Checkpoint for Corporate Environments

    For corporate environments, the June 9 rollout represents a critical checkpoint in a multi-stage infrastructure transition. According to official Microsoft lifecycle documentation, devices that do not migrate to the newer Windows UEFI CA 2023 certificates ahead of the summer expiration timeline will continue to boot and operate normally under standard conditions. However, Microsoft warns that these non-updated endpoints will lose the ability to receive new security protections for the early boot process, effectively halting future updates to the Windows Boot Manager, Secure Boot databases, and critical vulnerability revocation lists.

    Security Vulnerability and Patch Details

    On the security front, administrators are closely monitoring CVE-2026-42897, a high-profile cross-site scripting vulnerability affecting Outlook Web Access in on-premises Exchange Server deployments. With today’s security updates officially delivering the permanent patch to resolve this vulnerability, administrators can finally transition away from temporary blocks previously managed by the Exchange Emergency Mitigation Service. Today’s quality update bundle also addresses associated system bugs, including a fix for installation failures on devices with limited space of 10 MB or less on their EFI System Partition.

    Major Feature Updates for Performance

    Beyond security patches, the deployment introduces a series of major feature updates directly to the Windows 11 client ecosystem under the general performance umbrella. For core system performance, this update officially accelerates app launch behaviors and enhances responsiveness across core shell experiences, specifically targeting micro-stuttering within the Start menu, Search, and Action Center.

    Task Manager and NPU Monitoring

    To accommodate modern hardware requirements, Task Manager now provides significantly improved visibility into local AI workloads by introducing optional columns to actively track Neural Processing Unit utilization, active NPU engines, and dedicated or shared NPU memory allocations.

    Media Management and Sharing Upgrades

    Media management receives a substantial upgrade through the launch of the Shared Audio feature, which utilizes Bluetooth LE Audio broadcast technology to allow two individuals to listen to the same audio stream from a single Windows 11 PC simultaneously using separate connected devices. Capturing and streaming video is also more flexible with the introduction of the Multi-App Camera feature, allowing a single physical webcam feed to be shared across multiple communication applications at the same time alongside a new Basic Camera mode intended to simplify device troubleshooting.

    Custom User Folder Name Option

    Finally, addressing a long-standing infrastructure request, the updated Windows setup experience now allows users to choose an exact custom name for their local user folder directly on the Device Name page during clean system installations, cleanly bypassing automated account abbreviations.

    Global Rollout and Enterprise Monitoring

    The mandatory quality update is rolling out globally via Windows Update. Enterprise deployment teams are advised to monitor local system event logs for firmware completion markers to ensure complete fleet readiness ahead of the absolute June certificate cutoff.

    Systemic Pressure on Corporate Networks

    Beyond the routine security fixes and the critical firmware validation deadlines, today’s deployment cycle underscores the broader systemic pressure facing corporate defense networks. While these automated cumulative updates resolve several active operational exploits, the long-term fallout from recent uncoordinated disclosure waves remains an escalating challenge for enterprise administrators as they brace for the threatened mid-July mass disclosure drop by researcher “Nightmare Eclipse.”

    Sources
    Tags: , , , ,
  • June 9 Patch Tuesday: Secure Boot Deadline Looms

    June 9 Patch Tuesday: Secure Boot Deadline Looms

    Key Takeaway

    – June 9 is the final Patch Tuesday before Secure Boot certificates expire on June 24; any unpatched device will lose future boot-security protections.
    – Devices that missed the May deployment now have a compressed 15-day window; treat June 9 as emergency triage, not a normal cycle.
    – Run the PowerShell command to check registry key `UEFICA2023Status`; “Failed” status requires immediate manual remediation.
    – Windows Server 2025 with BitLocker Group Policy needs extra caution and a test deployment due to unresolved recovery bug.
    – Completing the certificate transition before June 24 is urgent, but the October 2026 expiration of the Windows Production PCA 2011 remains the most critical long-term risk.

    Microsoft’s Upcoming Patch Tuesday Carries Unprecedented Boot Security Stakes

    Microsoft’s June 9 Patch Tuesday is a few days away, and it carries more weight than any routine monthly update. It is the final structured deployment window before the 2011-era Secure Boot certificates begin expiring on June 24, leaving any unpatched device in a degraded boot-security state from that date. The certificate expiration window runs June 24-27. The Microsoft Corporation KEK CA 2011 expires June 24, the Microsoft UEFI CA 2011 expires June 27, and the Microsoft Windows Production PCA 2011 follows in October. Devices that have not recieved the 2023 replacement certificates before June 24 will not stop working, but they will lose the ability to recieve future boot-level security protections, including updates to the Windows Boot Manager, Secure Boot revocation lists, and fixes for newly discovered boot-chain vulnerabilities.

    Rollout Timeline and Enterprise Pressure

    Microsoft has been rolling out the 2023 replacement certificates since February 2026 through cumulative updates, with the May 12 Patch Tuesday advancing that rollout further. Organisations that delayed the May deployment are now facing a compressed window. The gap between June 9 and the June 24 expiration date is 15 days. For enterprise teams managing large device fleets, that is not a comfortable runway. Security analysts have clearly flagged the pressure. The decision to defer May deployment to June has reduced the avalible window by more than 60 percent. Any organisation assuming June 9 restores a normal deployment timeline is wrong. June 9 is emergency triage for teams that missed May.

    Pre-Deployment Verification Commands

    Before June 9, IT administrators should run the following PowerShell command with administrator privileges to check certificate status on any device in question: Get-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetControlSecureBootServicing” -Name UEFICA2023Status. The expected result for an OS-driven migration is “Completed.” Crucially, a “NotStarted” status is not an automatic failure; it often indicates that the device is already secure because the OEM has injected the 2023 certificates natively via a recent BIOS update. The real red flags to hunt for are a status of “Failed” or hex codes populated in the adjacent UEFICA2023Error key. Anything hitting those failure states after the June 9 deployment requires immediate, manual remediation.

    Server 2025 BitLocker Issues

    Devices running Windows Server 2025 with certain BitLocker Group Policy configurations require extra caution. The boot-to-BitLocker-recovery bug originated in the April 2026 update cycle. The May update resolved it for Windows 11, but the fix for Windows Server 2025 remains pending, and the behaviour is volatile in some configurations. Server 2025 enviroments should complete a test deployment before rolling June 9 updates fleet-wide. June 9 is also expected to address vulnerabilities discovered since the May 12 release, including any that have entered active exploitation in the weeks between cycles.

    Netlogon Flaw and Active Exploitation

    The Netlogon flaw CVE-2026-41089, flagged as actively exploited by the Centre for Cybersecurity Belgium on May 29, is already patched via the May update. Any devices that have not applied that fix should treat June 9 as a double-priority deployment. Completing the Secure Boot certificate transition before June 24 closes the most urgent window but is not the end of the process. The Microsoft Windows Production PCA 2011 certificate, which signs the Windows bootloader itself, expires in October 2026. That is the most structurally significant of the three expirations and the one that carries the greatest long-term boot integrity risk for devices that miss it. June 9 Patch Tuesday is scheduled to release at 10:00 AM PST.

    Sources
    Tags: , , , ,
  • Windows Secure Boot Certificates Expiring June 24

    Windows Secure Boot Certificates Expiring June 24

    Key Takeaway

    – 2011 Secure Boot certificates expire in June–October 2023, with October 19 being the most critical for long-term boot integrity; after expiration, you won’t get new boot-level security updates.
    – Windows Update (2023 certificates) is rolling out progressively; Windows 11 on supported builds will auto-update, while older hardware and unsupported Windows 10 versions have a tougher remediation path.
    – You still boot normally after expiration, but you lose the ability to receive new Secure Boot database updates, revocation lists, and firmware-level patches for boot vulnerabilities.

    Overview of Secure Boot certificate expiry and its impact

    the 2011-era Secure Boot certificates backing boot security on most Windows PCs start expiring June 24, one month from today. devices without the 2023 replacement certificates will not stop working, but they will lose the ability to receive future boot-level security patches. Windows 11 users on supported builds are being updated automatically, though older hardware and unsupported Windows 10 machines face a harder path. in this paragraph the focus is on the general timeline and what changes may occur for users with older hardware.

    Key expiry dates and the 2023 certificate rollout

    three certificates are hitting their end dates: the Microsoft Corporation KEK CA 2011 on June 24, the Microsoft UEFI CA 2011 on June 27, and the Microsoft Windows Production PCA 2011 on October 19. the last one signs the Windows bootloader itself, making October the most critical deadline for long-term boot integrity. Microsoft began rolling out 2023 replacement certificates through Windows Update in January and has advanced the rollout with each monthly update, including this month’s KB5089549. this segment repeats the dates and highlights the critical October expiry for the bootloader signer.

    What happens after expiry

    your PC will not stop booting. microsoft says devices with expired certificates will continue to start normally and receive standard Windows updates. what they lose is the ability to receive new Secure Boot database updates, certificate revocation lists, and patches for newly discovered boot-layer vulnerabilities. boot-level exploits like BlackLotus have specifically targeted this layer. a device with expired certificates has no patch path against future threats at the firmware level. the paragraph emphasizes that basic startup remains, but security updates at boot level may be blocked.

    How to check your Secure Boot status

    open Windows Security, select Device Security, and check the Secure Boot section. microsoft’s support article KB5062710 covers what the expiration means and what steps to take if the update has not been applied. users on Windows 10 outside the Extended Security Updates program will not receive the new certificates and have no remediation path from June 24 onward. this section guides users to verify status and consult guidance if updates are missing.

    • KB5062710 provides details on expiration implications and remediation steps
    • Windows IT Pro Blog and Windows Secure Boot resources offer guidance
    • OEM support may be necessary for older hardware where firmware needs a chain update

    What to do if your system shows outdated status

    some older hardware requires a matching OEM firmware update alongside the Windows certificate rollout, because the new certificate chain must be anchored directly in UEFI firmware. devices from manufacturers that have stopped issuing firmware updates may stay on the 2011 certificates regardless of what Windows installs. Microsoft’s guidance is to apply the latest update, verify status using KB5062710, and contact OEM support if the 2023 certificates are not showing on a fully updated system. this paragraph instructs users on steps to take when hardware support is limited.

    References and resources

    the following resources provide official guidance and updates: Windows IT Pro Blog, Microsoft Support, and Windows Secure Boot resources. these sources repeat critical details and offer official steps for verification and remediation. note that no external shopping links or product pages are included in this summary.

    Sources
    Tags: , , , ,
  • Windows 11 May 2026 Patch Tuesday Updates Now Available

    Windows 11 May 2026 Patch Tuesday Updates Now Available

    Key Takeaway

    1. The May 2026 Patch Tuesday update for Windows 11 addresses critical security vulnerabilities, including the actively exploited CVE-2026-32202 zero-day, with mandatory deployment for all users.
    2. Xbox mode, a controller-centric gaming dashboard, is now available for all Windows 11 24H2 and 25H2 users, enhancing gaming accessibility.
    3. File Explorer has been improved for stability, faster performance, and expanded archive format support, along with new features like persistent view settings and a “Preview anyway” button.
    4. The update introduces haptic feedback for compatible stylus devices and an AI activity indicator in the Taskbar, along with FAT32 drive support for volumes up to 2TB.
    5. This update accelerates the Secure Boot certificate rollout ahead of the June 26, 2026, expiration, requiring IT administrators to confirm their devices have received the updated certificates to avoid security downgrade.

    Microsoft has just pushed out its May 2026 Patch Tuesday update for Windows 11, which is a big deal coz its got lots of stuff packed into it. The update with the code KB5083631 is now rolling out to every version of Windows 11, whether it’s 24H2 or 25H2, bringing systems up to OS Builds 26100.8328 and 26200.8328 respectively. This update was first available as a sneak peek on April 30 but is now mandatory for everyone. Normally, Microsoft kicks off deploying these updates around 1:00 PM Eastern Time.

    The Importance of the Security Patch

    On the security front, this patch is especially noteworthy coz it hits a very critical point. Today, May 12, is the deadline set by the Cybersecurity and Infrastructure Security Agency (CISA) for federal agencies to apply a fix for CVE-2026-32202, a zero-day vulnerability in Windows Shell that was actively exploited and got covered last month. That patch is included in April’s cumulative update KB5083769. If users haven’t installed April’s update yet, they’ll get it as part of the initial rollout today. Once the update starts rolling out, Microsoft is expected to release a detailed list of all the new security vulnerabilities it addresses from Microsoft’s Security Response Center and other sources.

    New Features and Improvements

    For gamers, there’s a cool new feature called Xbox Mode making its debut today, set for all Windows 11 24H2 and 25H2 users. It essentially gives a full-screen, controller-first gaming dashboard that can be accessed through Settings, then Gaming, then Xbox Mode, or via the effortless Windows + F11 shortcut. Previously, only users who had manually installed the April preview version could access this feature, but now it’s baked into the OS for everyone.

    File Explorer Gets Better

    File Explorer, the staple for managing files, gets a reliability boost, fixing some crashes that used to happen during login and when interacting with the taskbar. Now, preferences for viewing and sorting files like in Downloads and Documents stay saved even after closing and reopening folders. A handy “Preview anyway” button has been added for downloaded files, making things more convenient. Also, support for more archive formats like UU, CPIO, XAR, and NuGet packages is now built-in, so no more need for third-party tools to extract common file types. Another plus is that File Explorer now opens faster than before the update.

    Haptic Feedback and AI Features

    If you own a compatible stylus or pen device, you’ll notice haptic feedback now. Devices like Surface Slim Pen 2, ASUS Pen 3.0, and MSI Pen 2 will give you tactile responses when you perform basic actions such as snapping or resizing app windows, or aligning objects — all manageable through Settings, then Bluetooth and Devices. An AI-powered agent also starts showing up on the Taskbar, initially linked to Microsoft 365 Copilot Researcher. It displays live updates while generating reports and sends a notification once done. Additionally, FAT32 formatting now supports drives up to 2TB, removing the old 32GB limit, and the Drag Tray feature has been renamed to Drop Tray, with its settings moved for easier access in Settings, then System, then Multitasking.

    Important Security and Compatibility Notes

    This update comes at a crucial time coz it’s the last update window before the expiration of Secure Boot certificates, which were issued back in 2011 and used by most Windows devices built between 2012 and 2025. These certificates will expire on June 26, 2026. Devices that haven’t received the updated certificates will enter a degraded security state starting the day after that date. Microsoft has been gradually pushing out the updated certificates since February 2026, and this May update continues that process. IT admins are advised to check their fleets to make sure all devices are running with the latest certificates before June’s Patch Tuesday, otherwise they’ll face login issues or reduced security.

    Known Issue and Final Advice

    There’s one known problem reported: Windows Server 2025 machines with an particular BitLocker group policy may boot into BitLocker recovery mode after installing this update, asking for the recovery key right after restart. Enterprise admins should double-check their BitLocker policy settings prior to deploying these updates. Microsoft says there are no other known issues at the moment, but monitoring feedback is always recommended.

    Sources
    Tags: , , , ,
  • Windows 10 ESU Update KB5075912 Upgrades 22H2 to Build 19045.6937

    Windows 10 ESU Update KB5075912 Upgrades 22H2 to Build 19045.6937

    Key Takeaways

    1. Microsoft released security update KB5075912 for Windows 10 ESU on February 10, 2026, upgrading versions 22H2 and 21H2.
    2. The update resolves shutdown and hibernation issues for PCs with Secure Launch and Virtual Secure Mode after previous updates.
    3. KB5075912 introduces changes to Secure Boot, including targeting data for issuing new Secure Boot certificates.
    4. Devices may still function without the update, but could enter a “degraded security state” over time if they miss it.
    5. Unsupported versions of Windows won’t receive new Secure Boot certificates unless part of the ESU program, and some may need OEM firmware updates.

    Microsoft has released a security update for Windows 10 Extended Security Updates (ESU) on February 10, 2026. This update, known as KB5075912, upgrades Windows 10 version 22H2 to OS Build 19045.6937, while version 21H2 is updated to 19044.6937.

    Issues Resolved

    According to Microsoft, KB5075912 addresses a problem that affects some PCs capable of Secure Launch with Virtual Secure Mode (VSM) turned on. After installing a Windows security update from January 13, 2026, or later, certain systems might experience issues where they are unable to shut down or hibernate, instead restarting unexpectedly.

    Secure Boot Changes

    Additionally, KB5075912 introduces a change related to Secure Boot. Microsoft has stated that Windows “quality updates” now include targeting data that helps determine if a device is eligible for new Secure Boot certificates. These certificates will only be issued after the devices demonstrate “sufficient successful update signals” to ensure a proper phased rollout.

    Important Information

    In a related post on the Windows Experience Blog released the same day, Microsoft explained that the replacement of the Secure Boot certificates is a comprehensive initiative involving both Windows servicing and OEM firmware. They emphasized that devices will keep functioning even if they miss the update, however, they might enter a “degraded security state” over time. It is also noted that unsupported versions of Windows, such as Windows 10, won’t receive the new certificates unless they are part of the ESU program. Some devices may require an OEM firmware update before they can utilize the certificate changes sent through Windows Update.

    Users are directed to the Microsoft Update Catalog for standalone packages, with KB5075912 entries for Windows 10 (including 22H2) marked on February 10, 2026.

    Lastly, Microsoft’s release notes mention that they are not aware of any current issues related to this update.

    Source:
    Link

     

    Tags: , ,
  • Microsoft 2026 Deadline for Secure Boot Certificate Expiration

    Microsoft 2026 Deadline for Secure Boot Certificate Expiration

    Key Takeaways

    1. Initial Secure Boot certificates from 2011 will start expiring in June 2026, with all expiring by October 2026.
    2. Microsoft is rolling out new 2023 certificates through regular Windows updates, but some devices may require firmware updates from OEMs.
    3. Devices will still boot normally after expiration, but will lose new protections related to the boot process and updates for vulnerabilities.
    4. Microsoft is transitioning to new certificate authorities and signing updates for Secure Boot components, with guidance for managed devices to implement updates.
    5. Users should not disable Secure Boot as a workaround, and additional resources for support and guidance are available from Microsoft.

    Microsoft is alerting Windows users and IT administrators that the initial Secure Boot certificates that were issued back in 2011 will begin to expire in June 2026, with more expirations occurring through October 2026. The company has started to roll out new 2023 certificates to affected systems via regular Windows updates for many devices.

    Important Updates

    This information was shared in Microsoft’s Patch Tuesday release notes on January 13, 2026, for Windows 11 (KB5074109), specifically under the section titled “Windows Secure Boot certificate expiration.” Here, Microsoft highlights the June 2026 start date and directs users to resources for preparation.

    On February 10, 2026, Microsoft also released KB5079373, which discusses what the expiration entails and confirms that most devices will receive updates automatically. However, some may need firmware updates from the original equipment manufacturer (OEM).

    Booting After Expiration

    Microsoft explains that devices that hit the expiration date will still boot as usual and continue to get standard Windows updates. The main change is that systems without the new certificates won’t gain new protections for the early boot process. This includes updates linked to Windows Boot Manager, Secure Boot databases, revocation lists, and fixes for any newly found vulnerabilities in the boot chain.

    In a broader explanation regarding Secure Boot certificates (KB5062710), Microsoft similarly warns that while everyday usage might seem unaffected, affected machines will gradually lose protection as new threats at the boot level appear.

    Transition to New Certificates

    In its IT guidance, Microsoft lists three Secure Boot certificates that have been in use since the era of Windows 8 and Windows Server 2012, stating they will start to expire in June 2026 and will all be expired by October 2026.

    Microsoft is transitioning devices to certificate authorities from 2023, including new sources for signing updates to the Secure Boot database and Windows boot components. Some environments might need to add separate 2023 certificates depending on what trust is required (like trust related to Option ROM).

    Consumer and Managed Devices

    For the majority of consumer PCs, Microsoft asserts that the new certificates should come through Microsoft-managed updates. However, it warns that some systems might need an OEM firmware update for the new certificates to be applied correctly. Microsoft also discourages users from disabling Secure Boot as a workaround.

    For managed fleets, Microsoft’s guidance provides strategies to inventory, monitor, and implement the updates (including through Intune, Group Policy, and registry methods) before the June 2026 deadline.

    Reports from third-party sources indicate that Microsoft is considering this a “generational refresh” of the boot trust chain, with updates now being delivered via regular Windows servicing for supported devices.

    Source:
    Link

     

    Tags: , ,