On June 9, 2026, Microsoft released KB5095185, a routine-looking Safe OS Dynamic Update for Windows 11 version 26H1. The update tunes the recovery and setup environment, but tucked inside is a stark reminder: the Secure Boot certificates that have guarded Windows PCs since 2011 begin expiring this month, and users need to ensure their devices are ready.
At first glance, KB5095185 is forgettable. Safe OS Dynamic Updates service the Windows Recovery Environment, setup files, and preinstallation components—the plumbing that lets Windows install, repair, and reset itself. They rarely make headlines. But this one carries a note that Microsoft has been amplifying for months: long-lived Secure Boot certificates are aging out, and while most home PCs have already been silently updated, anyone managing a fleet or nursing older hardware needs to pay attention.
What Actually Changed in This Update?
KB5095185 itself doesn’t deploy the new certificates. Its payload is a refresh of recovery and setup binaries for Windows 11 26H1. Microsoft is using the update channel to push the same warning it has been surfacing elsewhere: Secure Boot certificates issued in 2011 expire in stages starting in June 2026. The exact timeline stretches into October, affecting three specific certificates:
- Microsoft Corporation KEK CA 2011
- Microsoft Corporation UEFI CA 2011
- Microsoft Windows Production PCA 2011
Their replacements—a family of 2023 certificates—have been trickling out to consumer and non-managed business devices for months via Windows Update. If your PC is already running the new trust material, this update is a non-event. If not, Microsoft’s tone is deliberately calming: “Devices that haven’t received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install.” That sentence does a lot of work to prevent panic.
The nuance is that “operate normally” does not equal “fully secured.” A PC that hasn’t absorbed the 2023 certificates will keep booting and patching, but it will be locked out of future boot-level protections that depend on the new trust chain. Think of it as a security posture that gradually degrades rather than a sudden blue screen.
What It Means for You
For Home Users and Unmanaged PCs
If you’re on a single Windows 11 machine that’s been kept up to date, you’re almost certainly covered. Microsoft says it has been updating consumer devices for the past months. The simplest check is to open the Windows Security app, select Device security, and look for the Secure Boot status. If you see a green checkmark and no warning about certificate expiration, you’re all set. If a warning does appear, staying current with Windows Update should eventually resolve it—Microsoft continues to push the certificates through regular servicing.
What you should not do: disable Secure Boot or fiddle with UEFI settings unless you’re certain about what you’re changing. For most home users, the correct action is literally nothing beyond keeping Windows Update enabled.
For IT Administrators
Enterprise fleets are the real stress point. Microsoft’s Secure Boot Playbook for Windows clients and Windows Server spells out a multi-step verification process:
- Inventory your devices. Identify which models and firmware versions are in play. Older hardware may need a firmware update before it can accept the new certificates reliably.
- Monitor event logs. Look for event IDs 1801 (remediation not applied) and 1808 (new certificates present). These tell you which machines have made the transition.
- Pilot a representative sample. Test the certificate update on a handful of typical hardware configurations, including any long-life industrial or branch-office PCs that often fall behind.
- Watch for BitLocker recovery prompts. Changes in firmware state can trigger recovery. Test that scenario before broad rollout.
- Don’t rely solely on automatic updates. Microsoft’s automated deployment is a help, not a substitute for fleet validation.
The managed-device challenge is that Secure Boot certificate updates are not purely a Windows software exercise. They require firmware to participate correctly, and if a device’s UEFI is stale or abandoned by the OEM, Windows can be ready while the platform is not. This is where older, unsupported hardware becomes a genuine risk pocket.
For Developers and Power Users
The certificate rollover also affects anyone who runs custom bootloaders, dual-boots Linux, uses recovery tools, or depends on anti-cheat systems. Many Linux distributions and third-party utilities signed with the 2011 Microsoft UEFI CA will eventually need to be re-signed with the 2023 chain. Some game anti-cheat systems that lean on Secure Boot attestation may see compatibility hiccups if trust becomes inconsistent across a user base. If you maintain bootable utilities or deployment images, now is the time to validate them against the new certificate landscape.
How We Got Here: A 15-Year-Old Foundation Reaches End of Life
Secure Boot became mainstream with Windows 8 and the UEFI era, establishing a chain of trust before the OS loads. The idea was simple: unsigned bootloaders and tampered early-start components would be blocked before they could compromise the boot process. To make that work, Microsoft embedded a set of signing certificates in the UEFI firmware of most Windows PCs. The 2011 certificates—KEK, UEFI CA, and Production PCA—became the root trust for an entire ecosystem.
Fifteen years is an eternity in cryptography. Certificates expire by design, forcing periodic renewal. Microsoft began issuing replacement certificates in 2023, and since late 2025 it has been progressively distributing them through Windows Update. The June 2026 deadline is simply when the oldest anchors officially cease to be valid for new signing operations. Microsoft’s communication has been a balancing act: emphasize that most PCs won’t break, while making clear that staying on the old certificates is a security dead end.
What to Do Now
The action plan varies sharply by user profile:
- Home user on a supported Windows 11 PC: Confirm Windows Update is on and check Windows Security. If no warning appears, you’re done. If you see a certificate-expiration alert, stay connected to the internet and allow updates to complete; recheck after a few days.
- Enterprise admin: Download the official Secure Boot Playbook for Windows clients and Windows Server from Microsoft Learn. Start an inventory, set up event-log monitoring for 1801 and 1808, and contact OEMs for any hardware that cannot ingest the update. Begin testing on pilot machines, paying special attention to BitLocker behavior.
- User of unsupported Windows versions (such as Windows 10): Microsoft has tied certificate availability to supported editions. Windows 10 machines that have not moved to 11 or received extended security updates are at risk of missing the new certificates entirely. The only reliable path is to upgrade to Windows 11 or replace the hardware. Running an unsupported OS has always been a security gamble; this time the gamble involves a core piece of pre-OS trust.
- Developer/tool maintainer: Re-sign any bootable media or custom UEFI applications with the 2023 certificates. Test anti-cheat compatibility on both the old and new trust chains. Check with your Linux distribution for updated shim loaders that align with the new Microsoft UEFI CA.
Outlook
KB5095185 is not the final word; it’s a marker in a longer campaign. Microsoft will keep pushing the 2023 certificates through standard servicing for months, and future Windows feature updates will almost certainly assume the newer trust anchors are present. The company’s quiet-yet-firm messaging suggests that while a catastrophic boot failure is off the table, the era of the 2011 certificates is emphatically over. For the vast majority of users who let Windows Update do its job, the transition will be invisible. For everyone else, the window to act is now. The next wave of boot-hardening features won’t wait for stragglers.
Update, June 10, 2026: Added context on event ID 1801 and 1808 monitoring for IT admins.