Microsoft expires Secure Boot certs

Microsoft is preparing Windows devices for a June 2026 change in Secure Boot, the trust system that checks boot software before the operating system starts. Support documents published by Microsoft say certificates originally issued in 2011 begin expiring in June 2026 and are being replaced with 2023 certificates. Microsoft also says devices that do not receive the newer certificates will keep starting and taking standard Windows updates, but they will stop receiving future Windows boot manager and Secure Boot security fixes. At the same time, some systems are failing to install the May 12 Windows 11 cumulative update KB5089549 with error 0x800f0922, according to Microsoft support pages. ### Which Secure Boot certificates are expiring in June 2026? Microsoft said the certificates affected are the original Secure Boot certificates added broadly when Windows introduced Secure Boot support. In a support article, the company said Windows-based devices have carried the same Microsoft certificates in the key enrollment key and allowed signature database, and those certificates are nearing expiration. (support.microsoft.com) June 2026 is the start of that expiration window. Microsoft’s guidance says the replacement set was issued in 2023 and must be installed so devices can continue to maintain Secure Boot protections against newer boot-level threats. ### Does an unpatched PC stop booting when the old certificates expire? (support.microsoft.com) Microsoft said no. The company’s support page says devices that have not received the newer 2023 certificates “will continue to start and operate normally,” and standard Windows updates will continue to install. (support.microsoft.com) Future boot-related protection is the part that changes. Microsoft said devices without the newer certificates will no longer receive future security fixes related to Windows boot manager updates or Secure Boot, leaving the device without those later protections. (support.microsoft.com) ### How is Microsoft telling home users and managed fleets to handle it? Microsoft’s guidance for home users, schools and businesses using Microsoft-managed updates says the preferred path is to keep Windows Update enabled so the certificate changes can arrive automatically. The company’s Windows IT Pro blog says supported Windows systems should receive the new certificates through Microsoft-managed updates. (support.microsoft.com) IT-managed organizations have a separate support track. Microsoft published a guidance page for organizations and another troubleshooting page updated on May 1, 2026, with steps for checking certificate status and updating devices before the June deadline. (support.microsoft.com) ### What is happening with KB5089549? May 12, 2026 is the release date Microsoft lists for KB5089549, the cumulative security update for Windows 11 versions 24H2 and 25H2. The support bulletin says the package includes security fixes and improvements carried forward from the prior preview release. (support.microsoft.com) Microsoft’s support forums and Q&A pages show some users reporting installation failures for KB5089549 with error 0x800f0922. A Microsoft Q&A page published two days ago says the issue is known and is commonly caused by limited free space on the EFI System Partition, especially when 10 MB or less is available. (support.microsoft.com) ### Why does the 0x800f0922 error matter in the same month? The EFI System Partition is part of the boot chain. Microsoft’s Q&A guidance ties the KB5089549 failure to low free space on that partition, and Secure Boot certificate updates also touch pre-boot trust components stored in firmware and related boot infrastructure. Microsoft has not said the two issues are the same bug, but the overlap means administrators are dealing with boot-path maintenance and a cumulative update failure in the same period. (learn.microsoft.com) That is an inference from Microsoft’s separate support documents. Microsoft’s published mitigation for the KB5089549 failure is a supported registry-based workaround for the EFI System Partition issue, according to the Q&A page. The company’s KB article for the update also directs users to Windows release health for the latest status on the release. ### What should admins watch next? (learn.microsoft.com) June 2026 is the date Microsoft names for the start of certificate expiration, and the company has already published separate support pages for consumers and IT-managed organizations. Those pages, along with the KB5089549 support bulletin, are the main places Microsoft is using to post instructions and status updates. (learn.microsoft.com) May 1, 2026 is the last-updated date on Microsoft’s Secure Boot troubleshooting page, and May 12, 2026 is the release date on KB5089549. Microsoft said supported Windows systems should receive the newer Secure Boot certificates through normal update channels, while administrators with managed fleets can use the company’s published guidance to verify readiness before the June rotation window. (learn.microsoft.com) (support.microsoft.com)