Microsoft expands Secure Boot fixes as Windows updates hit install and recovery issues
Microsoft released the June cumulative update KB5093998 for Windows 11 23H2 with security fixes, broader Secure Boot certificate rollout support, and a new Group Policy/MDM option to limit Secure Boot service data sent to Microsoft. The update also fixes a known issue that could force some devices into BitLocker Recovery after boot file updates, while CERT/CC and Microsoft separately published advisories on a Secure Boot bypass affecting Microsoft-signed UEFI shim bootloaders, tracked as CVE-2026-44815.
At the same time, Microsoft warned that some PCs upgraded from Windows 10 21H2/22H2 or Windows 11 23H2 to Windows 11 24H2 or 25H2 may fail to install the June 2026 cumulative updates, showing errors 0x80073712 or 0x800f0993 because of package and component store issues. Microsoft said an automatic fix is rolling out for unmanaged enterprise and Home devices after restart, while already affected systems may require removing a problematic package with DISM or performing an in-place upgrade; separate reporting also said recent HP BIOS updates and Dell SupportAssist software caused BitLocker loops and BSODs that were initially blamed on Windows but traced to OEM firmware and utilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Microsoft releases KB5094126 for Windows 11 24H2 and 25H2
On 2026-06-11, Microsoft released the June 2026 Patch Tuesday update KB5094126 for Windows 11 versions 24H2 and 25H2. The update rolls out updated 2023 Secure Boot certificates replacing expiring 2011 certificates and includes usability changes such as Low Latency Profile, Multi-App Camera, Shared Audio over Bluetooth LE Audio, NPU visibility in Task Manager, and improved Windows Search behavior.
Microsoft fixes BitLocker recovery bug on Windows Server 2025
Microsoft resolved a known issue causing some Windows Server 2025 devices, and in some cases Windows 11 23H2 systems, to boot into BitLocker recovery after the April 2026 security update. The fix was delivered in the June 2026 cumulative updates, including KB5094125 for Windows Server 2025, and Microsoft also documented mitigations for administrators unable to deploy the updates immediately.
Microsoft warns some upgraded Windows PCs can't install June updates
Microsoft disclosed that a small percentage of devices upgraded from Windows 10 21H2/22H2 or Windows 11 23H2 to Windows 11 24H2 or 25H2 may fail to install the June 2026 cumulative updates, showing errors 0x80073712 or 0x800f0993 due to package and component store issues.
CERT/CC publishes advisory on Secure Boot bypass in Microsoft-signed UEFI shims
CERT/CC published vulnerability note VU#616257 covering Microsoft-signed UEFI shim bootloaders vulnerable to a Secure Boot bypass.
Microsoft releases KB5093998 for Windows 11 version 23H2
On June 9, 2026, Microsoft released cumulative update KB5093998 for Windows 11 23H2 with security fixes, Secure Boot certificate rollout changes, a new policy controlling Secure Boot service data sent to Microsoft, and a fix for a BitLocker Recovery issue.
Dell SupportAssist Remediation 5.5.16.0 causes repeated BSOD crashes
In May 2026, Dell's SupportAssist Remediation service version 5.5.16.0 reportedly caused repeated blue-screen crashes across multiple Dell product lines, according to WindowsLatest.
HP BIOS updates trigger BitLocker recovery loops on enterprise systems
WindowsLatest reports that HP BIOS updates released in April 2026 caused persistent BitLocker recovery loops on enterprise systems during Microsoft's Secure Boot certificate migration.
Microsoft stops new June update install failures on some upgraded PCs
Microsoft said devices in the affected unmanaged enterprise and Home categories should no longer be newly affected by the Windows update installation issue after May 19, 2026 at 6:30 p.m. PT, as an automatic fix rolled out.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Windows and Linux users: The deadline to update Secure Boot keys is near - Ars Technica
arstechnica.com
Open sourceMicrosoft released the Windows 11 Secure Boot update for all PCs, how to verify yours
windowslatest.com
Open sourceMicrosoft just dropped Windows 11's biggest update of 2026, and these are the 5 best features
windowslatest.com
Open sourceMicrosoft fixes BitLocker recovery bug on Windows Server 2025
bleepingcomputer.com
Open sourceVU#616257 - Microsoft-signed UEFI shim bootloaders vulnerable to Secure Boot bypass
kb.cert.org
Open sourceNot Microsoft, but OEMs are quietly bricking Windows 11 PCs, here's what you need to know
windowslatest.com
Open sourceMicrosoft Update Catalog
catalog.update.microsoft.com
Open sourceMsrc Product Advisories
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows 11 KB5094126 Triggers Boot Failures, BitLocker Recovery, and Explorer Sync Breakage
Microsoft’s Windows 11 cumulative update `KB5094126` is causing serious post-installation failures on some systems after its release with roughly 200 security fixes, including 33 critical flaws and five zero-days. Users reported freezes shortly after boot, black screens, boot loops, BSODs, and repeated BitLocker recovery prompts, including on devices where BitLocker was believed to be disabled. Reports indicate the problems are hitting some HP models particularly hard, with Secure Boot certificate changes and interactions with BIOS/UEFI settings and undersized or crowded EFI partitions emerging as likely factors. The update is also disrupting enterprise and productivity workflows by breaking File Explorer integration for OneDrive and, in some cases, Dropbox and iCloud Drive, while some affected machines reportedly lose LAN access even though internet connectivity remains available. Administrators and users have resorted to Windows Recovery Environment to remove the patch, and some systems reportedly required full Windows reinstalls after recovery complications. A widely shared workaround has been to temporarily disable Secure Boot, complete boot and update recovery, then re-enable Secure Boot after updating BIOS/UEFI firmware, though Microsoft had not formally acknowledged the full scope of the issues in the update documentation at the time of reporting.
Jun 20, 2026
Microsoft ships Windows 11 KB5083769 and KB5082052 with RDP and BitLocker fixes
Microsoft released mandatory Windows 11 cumulative updates **KB5083769** for versions **25H2/24H2** and **KB5082052** for **23H2**, delivering April Patch Tuesday security fixes alongside reliability and feature improvements. The `25H2` and `24H2` releases share the same changes because both are based on `24H2`, and the update moves those branches to builds **26200.8246** and **26100.8246**. Microsoft said the packages include protections against phishing through malicious **`.rdp`** files, Secure Boot certificate management improvements, and a fix for an issue that had pushed some systems into **BitLocker Recovery** after Secure Boot updates; the release also bundles servicing stack update **KB5088467**.
Apr 30, 2026
Windows 11 KB5077181 Patch Tuesday Update Triggers and Fixes Boot Failures
Microsoft’s February 2026 Windows 11 cumulative security update **KB5077181** (for versions **24H2** and **25H2**) was associated with significant boot reliability issues reported shortly after deployment, including systems entering **infinite restart loops** and failing to reach the desktop. Reports described login-time errors (including **System Event Notification Service (SENS)** procedure errors) and network symptoms such as **DHCP failures**, while Microsoft’s public release notes and health dashboard were reported as not listing known issues at the time. The update also shipped broad security remediation, with reporting citing **58 vulnerabilities** addressed and **six actively exploited zero-days** referenced via CISA’s **Known Exploited Vulnerabilities** catalog, including fixes for issues such as SmartScreen bypass (`CVE-2026-21510`), Desktop Window Manager EoP (`CVE-2026-21519`), Remote Desktop Services EoP (`CVE-2026-21533`), and a Notepad RCE via crafted Markdown (`CVE-2026-20841`). Separately, Microsoft stated that **KB5077181** fully resolved a specific Windows 11 boot failure condition affecting a limited set of **commercial physical devices** on **24H2/25H2** that could become unbootable (e.g., **"UNMOUNTABLE_BOOT_VOLUME"**) after installing **KB5074109** or later updates when a **December 2025** security update had previously failed and rolled back, leaving the OS in an “improper state.” Microsoft indicated an earlier mitigation shipped in the optional preview update **KB5074105** (Jan 29, 2026) to prevent additional devices from being impacted, and that the February Patch Tuesday release delivered the complete fix; the issue was not reported as affecting home users or virtual machines.
Mar 21, 2026