Microsoft simplifies Windows 11 updates

Microsoft’s May 12 Windows 11 security update did not change the consumer-facing update flow so much as the underlying rollout mechanics for a sensitive class of security fixes. KB5089549 for Windows 11 versions 24H2 and 25H2 adds a new `SecureBoot` folder under `C:\Windows` on eligible devices, according to Microsoft’s release notes. (support.microsoft.com) The folder contains example scripts for organizations managing device fleets and is tied to Microsoft’s ongoing rollout of new Secure Boot certificates before older keys expire in 2026. Neowin first highlighted the addition on May 18 after Microsoft updated the release notes to mention it. ### So what actually changed in Windows 11? KB5089549 adds “a new SecureBoot folder under C:\Windows on eligible devices,” Microsoft said in the release notes for the May 12 cumulative update. (support.microsoft.com) Microsoft said the folder contains example scripts that can be used to detect Secure Boot certificate update status and automate deployment in Active Directory environments. Neowin reported that Microsoft had not mentioned the folder in the initial notes and later added a Secure Boot release note. The publication said the addition centralizes resources under an `ExampleRolloutScripts` folder for administrators handling the certificate rollout. ### Is this about ordinary monthly patches or something narrower? (support.microsoft.com) Microsoft tied the change to Secure Boot certificate updates, not to all Windows 11 security updates. The company said Windows quality updates now include additional “high confidence device targeting data,” which increases coverage of devices eligible to automatically receive new Secure Boot certificates, while keeping the rollout controlled and phased. (support.microsoft.com) Neowin said the scripts are meant to help IT and system administrators automate installation, monitor status and use Group Policy Object deployment in enterprise environments. That makes the change more about reducing manual coordination in certificate rollout than about redesigning Windows Update for all users. (neowin.net) ### Why is Microsoft doing this now? Microsoft said the update addresses security vulnerabilities documented in its May 2026 Security Updates guide and includes Secure Boot-related changes for eligible devices. The company also said devices receive the new certificates only after showing sufficient successful update signals. Neowin said Microsoft began warning in early 2024 that Secure Boot keys would reach 15 years of age in 2026 and were set to expire, prompting the move to newer 2023 certificates. (support.microsoft.com) The publication said updated boot manager files and Secure Boot certificates are important defenses against malware such as bootkits. ### What is in the new folder? Neowin listed several sample PowerShell scripts, including tools to detect certificate update status, aggregate fleet data, deploy Group Policy objects, start rollout orchestration and check rollout status from another workstation. (neowin.net) Microsoft’s release notes do not list every script by name in the excerpt surfaced, but they do say the folder contains example scripts for status detection and automated deployment. (support.microsoft.com) The scripts are split between status collection and rollout execution, according to Neowin. That suggests Microsoft is giving enterprise administrators a packaged way to stage, monitor and complete the certificate rollout with fewer custom steps, though that interpretation comes from the script descriptions rather than a separate Microsoft statement. (neowin.net) ### Are there any related issues with this update? Microsoft’s release notes say KB5089549 also includes a boot manager servicing update intended to improve startup reliability after boot file updates and fix a known issue that could send some devices into BitLocker Recovery after updating boot files. The issue was linked to certain TPM validation settings, including invalid PCR7 configurations, and Microsoft said it could occur after the April 2026 security update KB5083769. (support.microsoft.com) Neowin separately reported that Microsoft had issued workarounds for some KB5089549 installation problems. Microsoft’s support page for the update points users to the Windows release health dashboard for the latest status on the release. (neowin.net) ### What should administrators watch next? Microsoft said the new folder appears only on eligible devices and is intended for organizations with IT professionals actively managing updates across device fleets. The company pointed administrators to its Sample Secure Boot E2E Automation Guide for more detail on using the scripts in Active Directory environments. The next concrete checkpoint is Microsoft’s release health guidance for KB5089549 and the broader Secure Boot certificate rollout as 2026 progresses. (support.microsoft.com) Organizations deploying Windows 11 24H2 and 25H2 will be the named participants using the new scripts as Microsoft continues the phased certificate update. (neowin.net)