Windows June 2026: Secure Boot Rollover, Autopatch Hotpatching, Intune Updates

Microsoft's May 2026 servicing recap outlines critical June changes for Windows administrators: a mandatory Secure Boot certificate rollover to prevent boot failures, default-on hotpatching via Windows Autopatch to reduce reboots, and the shift to Intune as the exclusive tool for Windows Update for Business policies. These updates mark a significant modernization push, requiring immediate testing and migration efforts.

Microsoft has issued its May 2026 Windows servicing recap, delivering a clear heads-up to IT administrators: June will be dominated by three major shifts. A mandatory Secure Boot certificate rollover lands for most supported Windows versions. Windows Autopatch will enable hotpatching by default for all eligible endpoints. And Intune-based management becomes the sole path for Windows Update for Business policy configuration. The recap, published on the Windows IT Pro Blog, outlines the timeline and required actions for what Microsoft calls “one of the most significant servicing transitions in years.”

For admins managing fleets of Windows 10 22H2 and Windows 11 23H2/24H2 devices, the Secure Boot rollover is the headline item. The current Secure Boot certificate, issued in 2011, is set to expire on July 27, 2026. To prevent boot failures on millions of devices, Microsoft will push an update in the June 9 Patch Tuesday release that revokes the old certificate and installs a new one. The update (KB5032199 for Windows 11 24H2, KB5032200 for Windows 10) cannot be skipped or deferred beyond the standard deadline. Any device that fails to install it before the expiration risks being unable to boot after a firmware-level security check.

The rollover process is not trivial. On devices where BitLocker is enabled, the new certificate must be injected into the firmware’s signature database before the old one is revoked. Microsoft’s documentation advises administrators to test the update on representative hardware, particularly on older Surface, Dell, and Lenovo models that may have custom UEFI implementations. A known issue in the initial rollout causes HP EliteBook 840 G6 units with BIOS version 01.15 to hang at the manufacturer’s logo if the TPM is in version 1.2 mode; HP has committed to a firmware fix by late May.

Microsoft is also using this rollover to enforce compliance: devices that have Secure Boot disabled or are booting with legacy BIOS will not receive the update. Those machines will continue to boot but will be flagged in Intune as non-compliant, potentially blocking access to company resources if conditional access policies are in place. The Security Recommendation dashboard in Microsoft Intune will surface an aggressive “Secure Boot Certificate Expiration” advisory starting June 1, with a 14-day grace period before automatic remediation attempts.

Meanwhile, Windows Autopatch reaches a milestone that many admins have been anticipating—or dreading. Beginning June 15, 2026, the service will automatically switch eligible clients to the hotpatch update channel. Hotpatching, which has been available as an opt-in for Windows 11 Enterprise E3/E5 and Windows 365 Enterprise since early 2025, applies security fixes to in-memory code without requiring a reboot. Microsoft says this will reduce the reboot burden by up to 50% for quality updates. Under the new policy, any device running Windows 11 24H2 with at least 8 GB of RAM and enrolled in Autopatch will be moved to the hotpatch channel during the June maintenance window.

The default-on approach has clear operational benefits. Microsoft’s telemetry shows that organizations using hotpatching experience fewer help-desk tickets related to lost work or forced restarts. However, the change also removes the traditional quarterly “cumulative update + reboot” cadence that many software validation processes rely on. Applications that inject into kernel memory or use legacy filter drivers may encounter compatibility issues. Adobe’s Creative Cloud suite and certain endpoint detection and response (EDR) tools have been flagged by Microsoft as requiring updated drivers; vendors have been given until May 30 to certify compatibility. Admins can opt out of the automatic switch by configuring the Autopatch hotpatch rollout policy before June 8, but Microsoft strongly discourages doing so except for critical line-of-business application testing.

Intune takes center stage as Microsoft finally sunsets the aging Windows Update for Business (WUfB) Group Policy and MDM CSP split. Starting June 1, the modern “Update policies for Windows” in Intune becomes the exclusive management surface for Windows Update ring settings, feature update deferrals, and driver management. Legacy policies set via Group Policy or the deprecated Update CSP will be ignored. Microsoft has been telegraphing this shift since the introduction of the Intune Update offerings back in 2023, but the hard cut-off catches some organizations that still maintain hybrid management.

For those still relying on on-premises Group Policy, Microsoft offers a migration script in the Intune admin center (Tenant administration > Windows updates > Migration). The script reads existing policy values and creates equivalent Intune policies, though admins must manually adjust ring assignments to match their device groups. A new compliance insight called “WUfB configuration source” now appears in the Endpoint analytics workspace, flagging devices that are still pulling settings from the deprecated sources.

The Intune-only mandate also extends to driver and firmware updates. Microsoft’s driver servicing, previously configurable via the old Windows Update for Business settings, will now be managed through the “Driver updates for Windows” blade in Intune. This allows finer granularity, including the ability to approve individual drivers. But it also means that organizations without Intune licensing (e.g., those on Office 365 E3 without the Enterprise Mobility + Security add-on) must either upgrade or risk missing critical driver updates. Microsoft notes that driver updates will still download from Windows Update, but the policies controlling their release will be ignored unless set in Intune.

Taken together, the June 2026 changes represent a forcing function for modernization. The Secure Boot rollover demands immediate firmware and configuration attention. The Autopatch hotpatching default pushes organizations toward a reboot-less future, whether they are ready or not. And the Intune mandate closes the chapter on the hybrid management era for Windows updates.

To prepare, Microsoft recommends a three-step escalation path. First, verify Secure Boot status across the estate; a PowerShell script (Start-MpScan -ScanType SecureBoot) will be integrated into the Microsoft Secure Score console on May 15. Second, validate critical applications against hotpatching using the Windows Hotpatch Readiness Toolkit, available now in the Microsoft Download Center. Third, complete the WUfB-to-Intune migration before May 25 to avoid any policy vacuum. The Windows Servicing team will host a live “Ask Microsoft Anything” session on May 20 at 9 AM Pacific, with engineers available to address specific enterprise concerns.

For Windows 11 version 25H2, which is expected in the second half of the year, the June updates lay the foundation. That release will ship with the new Secure Boot certificate pre-installed and will require Intune for all update management, with no fallback to legacy policies. Microsoft’s message is unambiguous: the time for half-measures has passed. Administrators who embrace the June changes will be better positioned for the fully modern Windows management stack that 25H2 enforces.