Microsoft published KB5087594 on May 12, 2026, as a Safe OS Dynamic Update exclusively for Windows 11 version 23H2. This release is not just another routine patch—it is a direct response to the impending expiration of the Microsoft Corporation UEFI CA 2011 certificate, scheduled to occur in June 2026. For any device relying on Secure Boot, the consequences of ignoring this update are severe: an unbootable system and a recovery process that could leave even seasoned IT administrators scrambling.

The Secure Boot certificate infrastructure underpins the trust relationship between Windows and your PC’s firmware. When the current signing certificate expires, firmware will reject bootloaders signed by it unless the UEFI revocation list and the boot environment have been proactively updated to accept a new, valid certificate. KB5087594 is one component in a larger, multi-year rollover effort Microsoft initiated after the BootHole vulnerability exposed the fragility of the old CA. With the deadline now just weeks away, this Safe OS Dynamic Update targets a critical blind spot—the Windows Recovery Environment (WinRE)—and forces admins to take action before user machines turn into expensive paperweights.

Secure Boot and the Certificate Trust Chain

Secure Boot, a UEFI firmware feature, verifies that every binary loaded during the boot process carries a valid digital signature from a trusted certificate authority (CA). The logic is simple: if the signature can be traced back to a CA in the platform’s “db” (authorized signature database), execution proceeds; if not, the firmware halts the boot and throws a “Secure Boot Violation” error. For over a decade, the primary root of trust for most Windows PCs has been the Microsoft Corporation UEFI CA 2011 certificate.

This certificate, issued by Microsoft’s offline root CA, is baked into the firmware of millions of devices. Its serial number and associated public key are part of the UEFI Secure Boot Forbidden Signature Database (dbx) update mechanisms. When a CA certificate expires, any UEFI application or OS loader signed with that certificate will be considered invalid—even if the certificate itself is still present in the db. Expiration acts as a hard stop. Microsoft’s own Windows Boot Manager, OS loaders, and recovery tools are all signed by the 2011 CA, so the expiration event directly threatens the ability of Windows to start on any non-updated system.

The BootHole incident of 2020 forced Microsoft to accelerate its plans. To close a vulnerability in the GRUB2 bootloader, the company had to revoke several third-party UEFI signatures and begin planning the deprecation of the 2011 CA. The full rollout has been staggered: initial revocation updates began in 2021 with KB5005699, which updated the dbx list; Windows 10 and 11 received servicing stack updates in 2023 and 2024 to introduce trust for the new Microsoft UEFI CA 2023 certificate. KB5087594 is the next logical step—ensuring that recovery media and offline servicing images are not left behind.

What a Safe OS Dynamic Update Actually Does

Dynamic Updates are not your typical Patch Tuesday cumulative updates. They are designed to slipstream fixes into Windows installation media or recovery partitions without requiring a full feature update. A Safe OS Dynamic Update targets the “Safe OS,” a term Microsoft uses for the Windows Recovery Environment (WinRE) and, in some contexts, the boot-critical components stored in the Windows\Boot folder.

When you run Setup to install a fresh copy of Windows or upgrade an existing installation, Setup can query Microsoft Update for available Dynamic Updates. These updates get applied on the fly, modifying the boot.wim and WinRE.wim images before the first restart. Similarly, when a device is serviced offline—say, using a deployment tool like Configuration Manager or Microsoft Deployment Toolkit—the Safe OS Dynamic Update can be integrated into the boot image. KB5087594 specifically updates:

  • WinRE.wim: The Windows Recovery Environment image, which contains tools like Startup Repair, System Restore, and command prompt access. This WIM is often stored in a dedicated recovery partition.
  • Boot.sdi and related boot files: The System Deployment Image and boot configuration data that the firmware reads before handing off control to Windows Boot Manager.
  • UEFI revocation list references: While the actual dbx update is handled by a separate firmware update (often delivered through Windows Update as a firmware capsule), KB5087594 ensures the recovery environment can properly validate bootloaders against the new certificate after a dbx update is applied.

The update is not pushed to running systems via Automatic Updates. Instead, it shows up in the Microsoft Update Catalog as a downloadable MSU file. IT professionals either import it into WSUS or manually integrate it into deployment media. For end users, the most common exposure will be through refreshed recovery partitions delivered by their PC manufacturer or as part of a future Windows feature update that reimages the recovery environment.

The June 2026 Deadline: Why Timing Matters

Microsoft has been noticeably quiet about the exact day in June when the 2011 CA certificate expires, but security documentation published alongside earlier updates indicates the certificate’s validity period ends on June 1, 2026, at 23:59:59 UTC. After this moment, any system that has not completed the transition to the new CA will fail Secure Boot verification.

The worst-case scenario is a device that receives a dbx update (which marks the old certificate as untrusted or simply does not include the new CA) before its boot entries are resigned or updated to trust the new certificate. This ordering dependency is where KB5087594 becomes critical. If a user or IT department applies a firmware dbx push without also updating the recovery environment, a subsequent failed boot could leave the device unable to access repair tools—because the recovery WIM itself is still signed by the expired certificate.

Microsoft’s official guidance, detailed in a support article tagged with KB5087594, recommends that organizations begin deploying this update immediately. The update can be applied to both online and offline images. For online servicing (on a running Windows 11 23H2 system), the update simply updates WinRE.wim. For offline servicing, admins must mount the recovery image, inject the update, and commit the changes. The process involves using the Deployment Image Servicing and Management (DISM) tool with commands like:

dism /Mount-Image /ImageFile:\"C:\\Recovery\\WinRE.wim\" /Index:1 /MountDir:\"C:\\mount\"
dism /Add-Package /Image:\"C:\\mount\" /PackagePath:\"C:\\Updates\\windows11.0-kb5087594-x64.msu\"
dism /Unmount-Image /MountDir:\"C:\\mount\" /Commit

A failure to complete this before the deadline will result in devices that, upon corruption of the main OS, enter WinRE only to be greeted with a blue recovery screen that cannot proceed because the very recovery tools themselves have been flagged as untrusted.

Historical Context: From BootHole to Certificate Rollover

The Secure Boot certificate rollover is not a new decision; it has been in motion for years. In August 2020, researchers exposed the BootHole vulnerability (CVE-2020-10713) in the GRUB2 bootloader, which allowed attackers to bypass Secure Boot on devices with Standard Secure Boot enabled. Microsoft’s initial response was to release a dbx update that revoked vulnerable bootloaders. However, the ecosystem reaction was rocky—some Linux distributions were caught off guard, older devices bricked, and the revocation process itself caused boot failures.

That experience informed the phased rollout of the 2011 CA deprecation. Microsoft realized that a single, sudden revocation would be catastrophic. So they adopted a gradual approach:

  • 2021 – KB5005699: Updated the Windows RE and boot managers for Windows 10 and 11 to be able to switch between the old and new certificates. This was the initial seeding of the new Microsoft UEFI CA 2023.
  • 2023 – KB5027397 and similar: Enabled devices to boot using the 2023 CA by adding it to the db. The transition was invisible to most users.
  • 2024 – KB5031651 and KB5034441: Addressed a BitLocker recovery key issue and updated the Secure Boot DBX on certain platforms. These updates sometimes failed due to insufficient recovery partition size, creating a user headache that Microsoft later patched.
  • 2025 – Ongoing firmware updates: PC OEMs pushed UEFI firmware updates that included the new CA and, in some cases, algorithms to automatically accept it after the old CA expires.

KB5087594 is the penultimate piece: it finalizes WinRE’s trust in the 2023 CA so that the recovery environment can work seamlessly once the old certificate becomes void. A final signing update for some third-party UEFI applications is expected in the weeks leading up to June 2026, but for the vast majority of Windows 11 23H2 users, this Safe OS patch closes the last gap.

Impact on Enterprise Deployments and Imaging

Large organizations that maintain custom Windows images or use centralized deployment solutions face a unique challenge. Every existing Windows 11 23H2 installation media, every PXE boot image, and every staged recovery partition must be refreshed with KB5087594. A single overlooked image can lead to a fleet of non-booting machines after the June deadline.

The update integrates into the following scenarios:

  • Custom WIMs: If your organization captures a reference image and deploys it via SCCM, MDT, or Intune Autopilot, you must mount the install.wim and inject the Safe OS Dynamic Update. This ensures both the main OS and the recovery image inside the WIM are patched.
  • Windows Setup Media: The boot.wim on USB drives or ISO files used for legacy installations can be serviced offline using the same DISM commands. Microsoft has also updated the Media Creation Tool to include this patch in new downloads, but any media generated before May 12, 2026, is likely missing it.
  • Virtual Machines: Hyper-V and VMware VMs that use Secure Boot must also be updated. While the virtual firmware’s dbx might not be as strictly enforced, after the CA expiration, Windows will refuse to boot in many configurations.

Microsoft’s documentation explicitly warns that servers running Windows Server 2022 or earlier with Secure Boot enabled are also affected if they rely on the same UEFI CA. Administrators should check their server fleets carefully.

User Experience and Failure Modes

For the average consumer, a PC purchased after 2024 likely already has the new CA in firmware and was shipped with an updated OS image. The risk centers on devices built before 2024 that have been updated to Windows 11 23H2 but have never received a Safe OS Dynamic Update that explicitly trusts the 2023 CA.

If such a device encounters a disk corruption or a driver failure that forces it into recovery mode after June 2026, the recovery sequence will fail. The screen might display “Secure Boot Violation – Invalid signature detected. Check Secure Boot Policy in Setup.” From there, the only recourse is to disable Secure Boot in the UEFI firmware settings, attempt a boot from external media, or reimage the machine. For devices locked with BitLocker, recovery becomes even more complex because disabling Secure Boot triggers a recovery key prompt.

Microsoft has not published a definitive list of affected device models, but community reports suggest that machines with older AMI or Phoenix firmware revisions and those that have not been updated via Windows Update since mid-2023 are most at risk. Enterprise IT teams should check the status of this update across their inventory by querying the presence of the MSU file in the servicing stack. A simple PowerShell check can verify the WinRE version:

Get-WindowsImage -ImagePath \"C:\\Recovery\\WinRE.wim\" | Select ImageIndex, Version

The version string should reflect the KB5087594 build number. Microsoft has published a table of version numbers on its official support page.

How to Deploy KB5087594 Now

Because KB5087594 is a Safe OS Dynamic Update, it is not delivered automatically. Administrators must take explicit action. The recommended workflow is:

  1. Download the update from the Microsoft Update Catalog. The file name follows the pattern windows11.0-kb5087594-x64_<hash>.msu.
  2. Test on a small group of representative devices, ensuring that after application, the recovery environment starts correctly and can perform a system restore or command prompt operation.
  3. Integrate into deployment shares. For SCCM, this means updating the boot images and OS images used in task sequences.
  4. Update recovery partitions on existing devices. This can be scripted using DISM to mount the partition, apply the update, and unmount.
  5. Validate the firmware dbx separately. KB5087594 does not modify the UEFI dbx; that update is typically delivered as a firmware package from the OEM or via a separate Windows Update. Confirm that the device’s firmware has both the old and new CAs currently trusted and that the dbx revocation list is up to date.

Microsoft has also released a companion set of scripts, available on the Microsoft Download Center, that can automate the WinRE servicing for IT pros. These scripts handle partition detection, mount, and package injection, reducing the risk of manual error.

The Road Ahead

June 2026 marks the end of an era for the UEFI CA 2011. The certificate rollover is a necessary evolution of the Secure Boot ecosystem, and KB5087594 represents the final push for Windows 11 23H2 to complete its transition. After the expiry, all future Windows boot components will be signed exclusively by the 2023 CA. This includes Windows Insider builds and any subsequent feature updates.

Microsoft has not announced whether Windows 10 will receive a similar Safe OS update. Windows 10’s end-of-support date is in October 2025, so only LTSC editions and a few enterprise configurations with extended support will still be active in June 2026. Those holdouts should plan for an accelerated migration or a one-time scripted patch to their recovery media.

The Secure Boot story does not end here. Industry discussions are already underway to adopt certificate lifetimes shorter than 15 years, and the UEFI Forum is considering mechanisms to allow certificate revocation without the binary on/off switch that caused so much chaos during the BootHole aftermath. For now, KB5087594 is the immediate priority.

Patch Tuesday was once about simple security fixes. Now, it is about engineering the boot chain’s survival. If your Windows 11 fleet is still running without this update, every day that passes without remediation increases the chances of a post-June disaster that cannot be fixed remotely.