Microsoft has confirmed a new known issue in Windows 11 where the Settings app fails to download updates released after February 2026, throwing error code 0x80010002. The bug, added to the company’s official release health dashboard, means that devices that successfully install the February 2026 security update can no longer grab March, April, or May updates—and likely all subsequent cumulative patches—through the normal Windows Update channel.

When affected users click ‘Check for updates’ or ‘Download and install’ for any post-February update, the process stalls and eventually displays the error 0x80010002. The February 2026 update itself installs without a hitch, which suggests the bug is tied to a deeper certificate or signing requirement that the newer updates demand.

What Causes Error 0x80010002?

Although Microsoft hasn’t specified the exact criteria, early reports and the nature of the error point to Secure Boot certificate issues. Windows 11 requires updated Secure Boot certificates to validate the integrity of bootable software, and those certificates must be periodically refreshed. A separate update (often delivered as a ‘Servicing stack update’ or ‘Secure Boot DBX update’) ensures the system trusts the new certificates. If a device skipped that prerequisite—perhaps because it was offline or the update failed silently—the March 2026 and later cumulative updates, which are signed with the newer credentials, will fail validation and trigger 0x80010002.

This isn’t the first time certificate-related woes have disrupted updates. In 2023, Microsoft warned that devices without the latest Secure Boot DBX update would eventually be denied future Windows updates. The current bug may be the long-predicted consequence.

Understanding the Error Code

Error 0x80010002 in Windows Update typically indicates a failed cryptographic operation. It can appear when the system cannot verify the digital signature of an update package. In this scenario, the update package for March 2026 and later relies on a certificate that the local machine either doesn’t recognize or hasn’t been authorized through an updated Secure Boot configuration. The February update might still use an older, still-trusted certificate, which is why it installs without issue.

Which Windows 11 Versions Are Affected?

Microsoft has not published a definitive list, but the bug likely impacts all supported Windows 11 editions—Home, Pro, Enterprise, Education, and IoT—provided they have not applied the prerequisite certificate refresh. Systems that are fully up to date, including all servicing stack updates and Secure Boot revisions, appear to be unaffected. The issue surfaces most commonly on devices that were offline for an extended period or those managed by update policies that inadvertently blocked the required certificate update.

Spotting the Bug

If you are trying to install a March 2026 or later cumulative update via Windows Update in Settings and receive error 0x80010002, your device is likely affected. You will still be able to download and install the February 2026 security update (and any earlier patches) without error. The problem is isolated to update packages dated March 2026 onward.

Microsoft’s Response and Workaround

Microsoft has acknowledged the problem and is investigating. A blanket fix is expected in an upcoming cumulative update, though no timeline has been set. In the meantime, the company recommends using a manual installation workaround.

Manual Update Installation via Microsoft Update Catalog

To bypass the bug and stay secure, you can manually download and install the blocked updates from the Microsoft Update Catalog:

  1. Identify the KB number of the update you need (e.g., the March 2026 cumulative update). You can find this information on the Windows release health page or reliable tech news outlets.
  2. Visit catalog.update.microsoft.com and search for that KB number.
  3. Download the correct .msu file matching your system architecture (x64, ARM64, etc.). Select the file labeled for your Windows 11 version.
  4. Double-click the downloaded file to run the installer. Follow the prompts, and restart when complete.

This method uses the standalone Windows Update Installer (WUSA), which performs a different validation step than the Settings app. Consequently, it often circumvents the cryptographic check that triggers 0x80010002.

For IT Administrators

Enterprise environments can leverage alternative deployment tools such as Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business policies. These channels are not affected by the Settings bug and will still deliver the updates normally. If you’re already using a management tool, your devices should receive updates without intervention.

Why This Matters

Skipping even a single monthly cumulative update exposes Windows 11 machines to known vulnerabilities that could be exploited by attackers. March, April, and May 2026 updates contain critical security fixes, and delaying their deployment increases risk. The manual workaround is straightforward, but it requires user action—something Microsoft typically designs Windows Update to avoid.

For everyday consumers, the nagging error in Settings can be confusing and frustrating. Many will assume their device is faulty or that Windows Update is broken. Microsoft’s delayed permanent fix, coupled with a manual workaround, puts the onus on the user to stay protected.

Historical Context: Secure Boot and Update Integrity

Secure Boot is a security standard that ensures a device boots using only software trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers, EFI applications, and the operating system. For this trust chain to work, the database of allowed and forbidden signatures must be kept current.

In 2023, Microsoft began distributing a Secure Boot DBX update that revoked trust in older, potentially compromised certificates. The company stated that future Windows updates would require this update to be installed; without it, the OS would eventually be unable to verify the authenticity of update packages. The current 0x80010002 bug likely represents the enforcement point of that policy.

Users who ignored the Secure Boot DBX update, perhaps because it required a manual installation or a BIOS/UEFI configuration change, are now facing the repercussions. This scenario underscores the importance of applying all updates, especially those labeled as critical for servicing stack or security foundations.

What to Do if You’re Hit by the Bug

  1. Check your Secure Boot certificate status: Run msinfo32.exe and look for “Secure Boot State.” It should say “On.” Also, confirm that the latest DBX update (typically listed under “Windows Updates” in Update History) is installed. If not, search for and install any outstanding Secure Boot or servicing stack updates.
  2. Manually install the missing monthly updates: Use the Catalog workaround described above. This should allow you to install all missing patches and restore normal Windows Update behavior for subsequent patches.
  3. Monitor the official fix: Keep an eye on the Windows release health dashboard and Windows Update documentation. When Microsoft releases a comprehensive fix, it will likely be included in a future cumulative update or as a separate standalone package.
  4. Avoid relying solely on Settings for updates: Until the fix is deployed, make manual checks via the Catalog part of your monthly routine, or switch to an alternative deployment method.

The Bigger Picture

This bug is a reminder that Windows Update is architecturally complex, relying on multiple layers of trust, signing, and validation. When a single piece of that chain fails, the entire update process can grind to a halt—even if the prerequisite was delivered months or years ago. For Microsoft, the challenge is to remediate the problem without breaking devices that have already manually fixed themselves or are otherwise in a stable state.

Security-certificate woes are not uncommon in the Windows ecosystem. Similar issues occurred with the expiration of digital certificates for older Windows versions, leading to update failures and cryptographic errors. Each time, Microsoft has had to engineer a way to re-establish trust without compromising security. The current situation follows that same pattern.

Frequently Asked Questions

Will resetting Windows Update components fix error 0x80010002?

No. The standard troubleshooting steps—like renaming the SoftwareDistribution folder, running the Windows Update Troubleshooter, or resetting network settings—will not resolve this issue because the root cause is a missing certificate, not a corrupted update cache.

Can I ignore the March–May 2026 updates until the fix arrives?

Not advisable. Those updates contain critical security patches for actively exploited vulnerabilities. Use the manual installation method to stay protected.

Will upgrading to a newer Windows 11 feature update solve the problem?

Possibly, but not guaranteed. If the problem stems from a foundational Secure Boot certificate that is missing, an in-place upgrade or fresh install that includes the latest servicing stack updates might resolve it. However, Microsoft has not officially recommended this route, and it carries the risk of data loss or extended downtime.

Is this bug present in Windows 10?

No. Microsoft’s advisory is specifically for Windows 11. Windows 10’s servicing model and certificate requirements differ, and no similar issue has been reported for that platform.

What’s Next?

Microsoft is actively working on an automated fix that will be distributed through Windows Update once ready. The company typically releases such fixes as part of a monthly security update or as an out-of-band patch if the issue is severe. Enterprise customers and IT pros should follow their usual deployment rings and keep an eye on the KB articles for known issues.

For everyone else, the immediate action is to manually install the outstanding updates and then wait for Microsoft’s official resolution. The manual workaround ensures your device stays secure in the meantime, and once the permanent fix lands, future updates should resume normally through Settings.