Microsoft dropped KB5092765 on May 26, 2026, a fresh Setup Dynamic Update for Windows 11 versions 24H2 and 25H2. The update polishes the Windows setup experience and, more critically, hammers home a dire warning: Secure Boot certificates embedded in many PCs are set to expire in June 2026.

This isn't a security patch or a feature drop. KB5092765 is one of those under-the-radar plumbing updates that keeps Windows installation humming. It replaces older Setup Dynamic Updates, squashing bugs that could trip up a clean install, an in-place upgrade, or a feature update. But tucked inside the release notes is a stark reminder that the clock is ticking on some of the foundational trust anchors that Secure Boot relies on. Ignore it, and you could be staring at a bricked boot screen.

What is a Setup Dynamic Update?

Before you dismiss KB5092765 as just another number in the update catalog, understand its role. Setup Dynamic Updates are the unsung heroes of the Windows servicing stack. Microsoft ships them to fix issues with the installation process itself—things like driver compatibility, disk partitioning logic, or the setup wizard's stability. Without these updates, a clean install from older media might fail on newer hardware, or an in-place upgrade might stall at 88% for no obvious reason.

Think of them as patches for the installer. When you run setup.exe from an updated ISO or kick off a feature update through Windows Update, the system reaches out and downloads the latest Setup Dynamic Update. It then integrates those fixes before proceeding. KB5092765, specifically, supersedes earlier versions (like KB5033167 for 24H2) and ensures that the setup engine can handle the quirks of modern UEFI firmware and disk configurations.

This particular update targets Windows 11 versions 24H2 and 25H2. If you're still on 23H2 or older, the update won't apply, but the underlying Secure Boot issue remains just as relevant. The update is available through Windows Update, the Microsoft Update Catalog, and WSUS. Its size hovers around 40 MB—a tiny package with a heavyweight message.

The Secure Boot Time Bomb

Secure Boot is a UEFI firmware feature that prevents unsigned or malicious code from launching during the PC's boot sequence. It checks each component—firmware drivers, the OS bootloader, and critical system files—against a list of trusted digital signatures stored in the firmware's certificate store. If something doesn't match, the PC won't boot. It's a key defense against rootkits and bootkits.

But certificates have expiration dates. Back in 2011, Microsoft issued the "Microsoft Corporation UEFI CA 2011" certificate, which many PC manufacturers baked into their firmware. That certificate, along with the "Microsoft Windows Production PCA 2011," forms the root of trust for millions of devices. These certs were originally set to expire years ago, but Microsoft extended the deadline multiple times to give the ecosystem time to transition. The latest extension, announced in 2024, pushed the final expiration to June 9, 2026.

KB5092765 serves as another warning shot. When you run setup with this update integrated, it checks your system's Secure Boot certificate database. If it finds the old 2011 certificates still active and no updated 2023-era replacements, it throws up a clear alert: "Your PC's Secure Boot certificates will expire soon. Contact your device manufacturer to install updated firmware." The setup doesn't block the installation, but it makes the risk impossible to miss.

After the deadline, any boot artifact signed only with the expired certificate will be rejected by Secure Boot. This includes Windows Boot Manager (bootmgfw.efi), certain pre-boot drivers, and even some third-party bootloaders. The result: a "Boot Device Not Found" error, an automatic fallback to the Windows Recovery Environment (WinRE), or, in worst cases, a system that refuses to start at all.

Which Systems Are at Risk?

The threat is real but not universal. Any PC that shipped with Windows 8 or early Windows 10 and has never received a UEFI firmware update is likely carrying the 2011 certificates. That encompasses a vast swath of enterprise fleets, budget consumer laptops, and hand-built desktops where the motherboard firmware was flashed once and forgotten.

Newer machines—those built from 2020 onward—generally have the updated certificates. The "Microsoft UEFI CA 2023" and "Microsoft Windows UEFI Driver Publisher 2023" certs were designed to replace the aging 2011 roots. When Microsoft and OEMs ship firmware updates, they slip these new certs into the Secure Boot database alongside the old ones, ensuring a smooth transition. But the key word is "when." If you've been ignoring optional firmware updates in Windows Update or never bothered to download a BIOS update from your manufacturer's support page, your system might still be clinging to the 2011 certs alone.

Virtual machines are another concern. Hyper-V, VMware, and VirtualBox all emulate UEFI firmware. Older VM templates built with out-of-date firmware may face the same expiration cliff. Admins who rely on golden images for mass deployment need to audit those images now.

What KB5092765 Actually Does

KB5092765 doesn't update your firmware's certificate store. It can't. That's the job of a UEFI firmware capsule update, which requires a separate process (often a reboot and a flash sequence). Instead, this Setup Dynamic Update does three things:

  1. Adds the warning check. During a clean install or upgrade, the updated setup engine scans for the presence of the new 2023 certificates. If they're missing, it displays a prominent warning message, complete with a link to Microsoft's documentation and a recommendation to contact your device manufacturer.
  2. Includes the latest boot files. The update packages the bootmgfw.efi and related components, signed with both the old and new certificates. That means the Windows installation itself won't immediately break, even if your firmware hasn't been patched. But this is only a temporary safety net during the installation process. Once the OS is running, future Secure Boot enforcement still depends on your firmware's certificate store.
  3. Polishes the overall setup reliability. Alongside the certificate check, KB5092765 addresses several behind-the-scenes issues. Microsoft's release notes mention fixes for disk detection on NVMe drives with specific controllers, improved error handling when Secure Boot is disabled mid-setup, and a bug that caused certain language packs to fail during an in-place upgrade.

In short, the update is both a messenger and a band-aid. It warns you about the firmware gap and ensures that the Windows setup files themselves won't be the immediate cause of a boot failure.

How to Check Your System and Prepare

Don't wait until June 2026. You can verify your Secure Boot certificate status right now.

Open an elevated PowerShell console and run:

Get-SecureBootUEFI -Name PK

This shows the Platform Key, but the more relevant store is the KEK (Key Exchange Key). Run:

Get-SecureBootUEFI -Name KEK

Look for entries referencing "Microsoft Corporation UEFI CA 2011" and "Microsoft Windows Production PCA 2011." If you see them alongside newer entries like "Microsoft UEFI CA 2023," you're in good shape—the old certs coexist with the new ones. If only the 2011 certs appear, your firmware needs updating.

Alternatively, use the System Information tool (msinfo32.exe). Expand "System Summary," then "Secure Boot State." It will tell you whether Secure Boot is on, but it won't list individual certificates. For a deeper drill-down, third-party tools like "Secure Boot Certificate Viewer" from GitHub can enumerate the full store.

The fix chain is straightforward:
- For laptops and pre-built desktops: Visit your manufacturer's support website. Search for your model and download the latest BIOS/UEFI firmware. Most major OEMs—Dell, HP, Lenovo, ASUS, Acer—have released updates that integrate the 2023 certificates. Apply the firmware update, then confirm in PowerShell that the new certs appear.
- For custom-built PCs: Check your motherboard vendor's site. ASUS, Gigabyte, MSI, and ASRock have all rolled out BIOS updates that add the necessary certificates. The update may be labeled as "Windows UEFI CA 2023 support" or similar.
- For virtual machines: Update your VM firmware. In Hyper-V, that means updating the VM configuration version (you may need to shut down the VM and use Update-VMVersion). For VMware, look for an updated .nvram file or re-create the VM with a newer hardware compatibility level. For VirtualBox, ensure you're on the latest version and that the EFI firmware includes the updated certificates.
- For enterprise deployments: Use tools like Windows Update for Business, SCCM, or Intune to push firmware updates. Many manufacturers provide Dell Command Update, HP Image Assistant, or Lenovo System Update that can be scripted into your deployment process.

After applying the firmware update, re-run the PowerShell commands to verify the new certificates are present. Then, if you're planning a clean install or upgrade, slipstream KB5092765 into your installation media or let Windows Update pull it automatically.

The Bigger Picture

The June 2026 Secure Boot certificate expiration isn't a surprise. Microsoft signaled this move as far back as 2019 and formalized the timeline in KB5025885. The company has been gradually deprecating older signing algorithms and trust anchors as part of its broader "secure by default" push. The 2011 certificates rely on SHA-1 and RSA-2048, which are still secure but aging. The 2023 replacements use stronger algorithms and align with industry best practices.

This transition mirrors the SHA-1 end-of-life saga for TLS certificates a decade ago. Then, too, the industry dragged its feet until browsers started throwing scary warnings. Now, the pain point is the boot process. The difference is that a failed Secure Boot check can render a system completely unbootable until someone manually intervenes in the UEFI settings or boots from recovery media.

For the average Windows enthusiast, this update is a low-stress affair. If you keep your motherboard firmware up-to-date and apply monthly Windows patches, you likely already have the new certificates. If you're the go-to tech support for friends and family, though, expect a few panicked calls in June 2026 as older PCs suddenly refuse to start.

KB5092765 is a quiet but critical piece of the servicing puzzle. It won't grab headlines like a new Copilot feature or a Taskbar redesign, but it could save you from a world of frustration when the certificate deadline finally arrives. Apply the update, check your firmware, and beat the deadline by months, not hours.

Microsoft's release notes for KB5092765 are typically terse, but the warning they contain is anything but routine. Treat it as your early-warning system. If you see the Secure Boot alert during a setup, don't click past it. Stop, update your firmware, and then continue. Your future self will thank you.