Microsoft deployed Hotpatch KB5079420 for Windows 11 on March 10, 2026, targeting OS Builds 26200.7979 (25H2) and 26100.7979 (24H2). This update represents a significant shift in how Microsoft handles critical security infrastructure, focusing specifically on Secure Boot certificate management without requiring a system reboot.

What KB5079420 Actually Does

The update refreshes Secure Boot certificates, a foundational component of Windows security architecture. Secure Boot verifies that only trusted software loads during the boot process, preventing malware and unauthorized operating systems from taking control. Certificates have expiration dates, and KB5079420 ensures systems continue to validate boot components with current, trusted certificates.

Microsoft's public-facing summary for this hotpatch is intentionally minimal. The company has adopted this approach for certificate updates to avoid drawing unnecessary attention to security infrastructure changes that could potentially be exploited if detailed publicly. This represents a calculated balance between transparency and security through obscurity.

The Hotpatch Advantage: Zero Reboot Required

Hotpatches represent Microsoft's most advanced update delivery mechanism. Unlike traditional updates that require system restarts, hotpatches apply critical fixes while Windows remains running. This technology eliminates downtime for users and ensures security updates deploy immediately without waiting for the next maintenance window.

For KB5079420, the hotpatch delivery means Secure Boot certificate updates apply instantly across enterprise environments. Systems maintain continuous operation while receiving critical security infrastructure updates—a capability particularly valuable for servers, medical devices, industrial control systems, and other 24/7 operations.

Technical Specifications and Build Numbers

The update targets two specific Windows 11 versions:
- Windows 11 25H2: OS Build 26200.7979
- Windows 11 24H2: OS Build 26100.7979

These build numbers confirm Microsoft maintains parallel support for both the current 24H2 release and the upcoming 25H2 version. The identical patch number (.7979) across both builds indicates Microsoft synchronized the certificate refresh across supported Windows 11 versions, ensuring consistent security posture regardless of which annual update users have installed.

Secure Boot Certificate Ecosystem

Secure Boot relies on a chain of trust anchored in certificates stored in UEFI firmware. Microsoft maintains several key certificates in this ecosystem:
- Microsoft Corporation UEFI CA 2011: The original certificate
- Microsoft Windows Production PCA 2011: For Windows boot components
- Third-party certificates: For hardware manufacturers and other trusted entities

KB5079420 likely updates one or more of these certificates to extend their validity period or replace expiring certificates. Without such updates, systems might fail Secure Boot validation when certificates expire, potentially preventing boot or causing security warnings.

Deployment Through Windows Update and Autopatch

For most users, KB5079420 deploys automatically through Windows Update. Enterprise customers using Windows Autopatch receive the update through Microsoft's managed service, which automates update testing, deployment, and rollback across organizational devices.

The Autopatch integration is particularly relevant for this certificate update. Since certificate changes can potentially break boot validation if implemented incorrectly, Autopatch's phased rollout and health monitoring provide additional safety measures. The service can detect issues early and pause deployment before widespread impact occurs.

Why Certificate Updates Matter for Windows Security

Secure Boot certificates have finite lifespans—typically 5-10 years. As original Windows 11 certificates approach expiration dates in the late 2020s, Microsoft must refresh them to maintain security continuity. Without updates, systems would eventually reject valid Windows boot components as \"untrusted\" when certificates expire.

This update also addresses potential certificate revocation scenarios. If a certificate's private key becomes compromised, Microsoft can distribute updates that remove trust in the compromised certificate while establishing trust in replacement certificates. KB5079420 could represent either a routine validity extension or a response to specific security concerns.

Enterprise Implications and Management

For IT administrators, certificate updates require careful consideration. While KB5079420 deploys seamlessly for most systems, organizations with customized Secure Boot configurations or hardware-specific certificates should verify compatibility before widespread deployment.

Microsoft provides several management options:
- Group Policy: Control update installation timing
- Microsoft Intune: Manage updates for cloud-connected devices
- Windows Server Update Services (WSUS): On-premises update control
- Update Compliance reports: Monitor deployment status across organizations

Administrators should ensure their management systems can handle hotpatches, which use different deployment mechanisms than traditional updates. The Windows Update for Business deployment service supports hotpatch distribution with configurable rollout policies.

Verification and Troubleshooting

After installing KB5079420, users can verify the update applied correctly through several methods:
1. Check Windows Update history for KB5079420
2. Verify the OS build number matches 26200.7979 (25H2) or 26100.7979 (24H2)
3. Use PowerShell: Get-HotFix -Id KB5079420
4. Check Secure Boot status in System Information

If issues occur—such as boot problems after certificate updates—Microsoft provides recovery options:
- Safe Mode: Boot with minimal drivers to troubleshoot
- Windows Recovery Environment: Access advanced startup options
- System Restore: Roll back to pre-update state if configured
- Fresh Windows installation: Last-resort recovery option

Most users won't encounter problems, as Microsoft extensively tests certificate updates before release. The hotpatch delivery method itself reduces risk by applying changes incrementally while the system runs.

The Future of Windows Update Delivery

KB5079420 exemplifies Microsoft's evolving update strategy. The company increasingly prioritizes:
1. Minimal disruption: Hotpatches eliminate reboot requirements
2. Security transparency balance: Detailed information for administrators while limiting public exploitability
3. Enterprise integration: Seamless deployment through Autopatch and management tools
4. Cross-version synchronization: Consistent updates across supported Windows versions

Future Windows updates will likely expand hotpatch capabilities to more update types. Microsoft has already used the technology for critical security fixes and now extends it to infrastructure components like Secure Boot certificates.

Actionable Recommendations for Users and Administrators

For individual users:
- Allow automatic updates to install KB5079420
- No action required unless experiencing boot issues
- Regular backups provide insurance against update problems

For enterprise administrators:
- Test KB5079420 in pilot groups before organization-wide deployment
- Verify compatibility with custom Secure Boot configurations
- Monitor Update Compliance reports for deployment status
- Prepare recovery procedures for potential boot issues
- Consider Autopatch for automated update management

For security teams:
- Document certificate update procedures
- Monitor for unusual boot validation failures post-update
- Update security policies to account for hotpatch deployment
- Train help desk staff on certificate-related troubleshooting

Microsoft's certificate refresh through KB5079420 maintains Windows 11's security foundation without disrupting user productivity. The hotpatch delivery represents the new standard for critical infrastructure updates—applying essential changes immediately while systems continue operating normally. As certificate expirations approach in coming years, expect more updates following this pattern: minimal public documentation, hotpatch delivery, and synchronized deployment across Windows versions.