Microsoft has released KB5092765, a Setup Dynamic Update for Windows 11 versions 24H2 and 25H2, designed to warn users about the impending expiration of Secure Boot certificates in June 2026. The update, published on May 26, 2026, is available through Windows Update, the Microsoft Update Catalog, and Windows Server Update Services (WSUS). This proactive measure aims to prevent boot failures and installation interruptions caused by outdated Secure Boot signatures during Windows setup or upgrade processes.

What Is KB5092765?

KB5092765 is classified as a Setup Dynamic Update, a special type of servicing update that targets the Windows setup files themselves. Unlike regular cumulative updates that modify a running operating system, Setup Dynamic Updates replace or refresh installation components stored within Windows images (such as install.wim or boot.wim). When incorporated into new installation media or triggered during an upgrade via Windows Update, these dynamic updates ensure that the setup process benefits from the latest compatibility fixes and hardware support before the OS is even deployed.

According to Microsoft, KB5092765 is specifically designed for Windows 11, version 24H2 and the subsequent 25H2 release. It integrates revised setup binaries that now include a check for the validity of Secure Boot certificates. During a clean installation, in-place upgrade, or Feature Update scenario, the updated setup will analyze the system's certificate store and firmware environment to detect certificates that are due to expire before or during June 2026. If such certificates are found, the installer presents a clear warning, advising the user to update their firmware or certificate store before proceeding.

Understanding Setup Dynamic Updates

Setup Dynamic Updates have been a staple of Windows servicing since Windows 10. They serve a critical role in bridging the gap between a largely static ISO image and the rapidly changing hardware ecosystem. When Microsoft identifies a blocking issue—such as an incompatible driver, a Secure Boot vulnerability, or a required firmware update—a Setup Dynamic Update can inject the necessary remediation directly into the setup process.

These updates are typically downloaded automatically by Windows Update when a user initiates a Feature Update or uses the Installation Assistant. For enterprises using WSUS or Configuration Manager, administrators must manually approve and deploy these updates to have them integrated into their offline servicing flows. The Microsoft Update Catalog offers standalone packages for IT pros who need to slipstream the update into custom enterprise images.

KB5092765 follows this model, but its payload is more of a detection and notification tool rather than a silent fix. The update itself does not extend any certificate validity periods; instead, it provides a mechanism to alert users and prevent a situation where Windows might refuse to boot or complete installation due to expired trust anchors.

The Secure Boot Certificate Expiration Problem

Secure Boot is a fundamental security feature that ensures a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). At the heart of this trust are certificates—digital documents that verify the authenticity of bootloaders, operating system components, and drivers. These certificates are issued by the Microsoft Corporation UEFI CA or by hardware vendors, and they typically have a defined lifespan measured in years.

When a Secure Boot certificate expires, the firmware can no longer use it to validate signatures. If the operating system’s bootloader was signed with an expired certificate, the system may fail to boot entirely, displaying a BitLocker recovery screen or a “Secure Boot Violation” error. For devices already running Windows, this often manifests after a firmware update or a change in system time. But during a fresh installation or upgrade—where the setup environment must load and validate its own boot components—an expired certificate can halt the process before Windows is even installed.

The June 2026 expiration date appears tied to a specific set of certificates widely used by UEFI firmwares. Industry-wide certificate expirations have occurred before; for example, the Microsoft Windows Production PCA 2011 certificate expired in 2026, prompting a similar wave of updates across the ecosystem. KB5092765 appears to be Microsoft’s response to this timetable, ensuring that users are made aware of the risk before it becomes a hard failure.

How KB5092765 Helps

When integrated into the Windows setup process, KB5092765 performs a pre-flight check of the local Secure Boot certificate store and the system’s UEFI variable space. If it identifies certificates that will expire on or around June 2026, it displays a prominent warning message. The exact wording of the warning has not been publicly documented as of this writing, but typical notifications from similar compatibility checks read:

“Secure Boot certificate expiration detected. Your device contains a certificate that expires in June 2026, which may prevent Windows from starting correctly. Please contact your device manufacturer for firmware updates before continuing.”

The installer may give users the option to proceed anyway, but with a clear disclaimer that future boot failures could occur. This is especially critical for enterprise deployments where hundreds or thousands of machines might be refreshed using automated installation scripts. Without such a warning, an administrator could unknowingly roll out a Windows 11 image that becomes unbootable in a few months’ time.

KB5092765 also lays the groundwork for subsequent servicing updates that might actually remediate the certificates. By flagging the issue during setup, Microsoft is effectively “lighting up” a signal that can be consumed by other tools, such as PC Health Check or Endpoint Analytics, giving IT pros broader visibility into the health of their fleets.

Deployment and Availability

The update was released on May 26, 2026, and is available through the following channels:

  • Windows Update: The update will be automatically offered to devices where a Feature Update to version 24H2 or 25H2 is pending, or where Windows setup is initiated via the Media Creation Tool or Update Assistant.
  • Microsoft Update Catalog: Standalone MSU files can be downloaded for integration into offline images or for distribution via third‑party management tools.
  • WSUS and Configuration Manager: Administrators can synchronize the update and deploy it to clients as part of their regular servicing cadence.

KB5092765 is specifically a “Setup” update; it will not appear in the regular Windows Update queue for devices that are already running the latest version. Instead, it only manifests when a setup‑related action is triggered. This design keeps the day‑to‑day update stream lean while ensuring that the most critical boot‑time checks are always fresh.

For commercial customers who manage their own Windows images, Microsoft strongly recommends importing KB5092765 into their build processes immediately. Because it is a Setup Dynamic Update, the bits must be injected into both the boot.wim and install.wim images (using tools like DISM) to guarantee coverage for all installation scenarios, including bare‑metal and upgrade installations.

What Users Should Do

For individual consumers, the best course of action is to ensure that Windows Update is allowed to run normally when prompted for an upgrade or a fresh installation. There is no need to seek out the update manually; the setup engine will automatically fetch the latest dynamic updates if an internet connection is present.

However, the real solution to expiring Secure Boot certificates lies in firmware updates. Once KB5092765 warns of an expiring certificate, users should:

  1. Identify the device manufacturer and model.
  2. Visit the manufacturer’s support website.
  3. Search for firmware or UEFI updates released after the 2026 certificate expiration dates.
  4. Apply the firmware update before proceeding with the Windows installation.

For devices that are already running Windows, it is prudent to check for firmware updates through Windows Update’s “Optional updates” section or by using the manufacturer’s own utility (e.g., Dell Command Update, HP Support Assistant, Lenovo Vantage). Many OEMs push critical UEFI certificate updates as part of their regular BIOS/UEFI rollups, so simply staying current with firmware can resolve the issue preemptively.

Enterprise IT departments should adopt a two‑pronged approach:

  • Incorporate KB5092765 into all Windows 11 deployment workflows. Use DISM to service offline images and ensure that the setup warning is present from the very first reboot.
  • Audit existing endpoints for expiring Secure Boot certificates. Tools like Windows PowerShell (using the Get-SecureBootUEFI cmdlet) or Microsoft Endpoint Manager can inventory the certificate store and flag machines that need firmware updates. Starting this audit now gives IT teams a runway of several months before the expiration becomes a hard blocker.

The Bigger Picture: Proactive Servicing in Modern Windows

KB5092765 exemplifies a broader shift in how Microsoft handles time‑bombed certificate expirations. In the past, similar issues—like the Trusted Root Certificate Program auto‑update failures, or the SHA‑1 deprecation—were often addressed with emergency out‑of‑band updates that caught many users off guard. By integrating the check directly into setup, Microsoft is pushing the ownership back to the hardware ecosystem while giving users a clear warning.

This approach also reflects lessons learned from the Windows 11 rollout, where old TPM and Secure Boot requirements clashed violently with aging hardware. By issuing a dynamic update months ahead of the June 2026 cliff, Microsoft buys time for OEMs to distribute firmware patches and for enterprises to bake the update into their standard images.

Potential Drawbacks and Limitations

While KB5092765 is a welcome safety net, it is not a silver bullet. The update only warns during Windows setup; it cannot prevent a system that is already running Windows from suddenly failing to boot if its firmware certificate expires after the OS is installed. Moreover, if the user performing the installation dismisses the warning or performs an unattended install with suppressed UI, the warning may go unseen, and the system could still be left vulnerable.

Microsoft has not yet disclosed whether future monthly Patch Tuesday updates will extend the check to running systems. Given the dynamic nature of certificate validation, it is possible that a subsequent servicing stack update might add a runtime check—but for now, KB5092765 is strictly a setup‑time intervention.

Another open question is how the update handles virtual machines. Secure Boot is implemented differently in hyper‑visors, and expired certificates on a Hyper‑V or VMware platform could affect all guest VMs. The KB article (likely available at https://support.microsoft.com/help/5092765) should be consulted for guidance specific to virtual environments.

Conclusion

KB5092765 arrives as a well‑timed Setup Dynamic Update that arms Windows 11 installations with a crucial pre‑flight check against the looming June 2026 Secure Boot certificate expiration. By injecting this warning directly into the setup experience, Microsoft reduces the risk of a silent, future boot failure that could strand users and generate support incidents.

The update is now available via Windows Update and the Microsoft Update Catalog. While it requires no immediate action for average users beyond accepting the update when offered, enterprise administrators should act now to integrate KB5092765 into their deployment pipelines and begin auditing their fleet for certificate compliance.

As the expiration date approaches, expect additional guidance from Microsoft and OEM partners. In the meantime, keeping both Windows and system firmware current remains the best defense against certificate‑related boot problems—and KB5092765 ensures that anyone installing Windows 11 from now on will receive a clear heads‑up before it’s too late.