Microsoft has released KB5089573, a May 2026 preview cumulative update for Windows 11 versions 25H2 (Build 26200.8524) and 24H2 (Build 26100.8524), delivering 30 documented changes across performance, reliability, and OS security hardening with a critical focus on the upcoming expiration of Secure Boot certificates originally issued in 2011.
Released on May 26, 2026, KB5089573 is a non-security, optional preview update that is part of Microsoft’s end-of-month release cadence, designed to give IT administrators and enterprise users time to validate changes before they become mandatory during the following month’s Patch Tuesday.
Unlike regular monthly security rollups, this preview package does not include new CVE patches; however, it ships alongside an updated servicing stack (KB5092734 Build 26100.8519), which strengthens the reliability of the update delivery pipeline.
The update is available through two distinct deployment tracks: a gradual rollout (phased delivery to a subset of eligible devices over time) and a normal rollout (broad release to all eligible devices simultaneously).
Security operations teams should note that phased rollouts are intentional. Microsoft uses them to monitor telemetry for unexpected behavior at scale before full deployment.
Secure Boot Certificate Expiration
The headline improvements in KB5089573 target application launch speed and core shell responsiveness. Microsoft explicitly states this update “accelerates app launch and core shell experiences such as Start menu, Search, and Action Center,” addressing latency that had been a persistent complaint among enterprise users on high-core-count workstations.
Additional reliability improvements delivered in this build include:
- Windows Hello hardening – Face and fingerprint recognition is now set as the default authentication method on every sign-in, even if an alternate method was used previously; after three consecutive PIN uses, the system holds the PIN mode until explicitly switched
- File Explorer stability – Improved resilience during theme changes, sign-in screen transitions, and touchscreen gesture sequences
- Modern Standby performance – Faster resume times and reduced power drain caused by rogue applications keeping the sensor hub active during standby
- Task Manager VM CPU accuracy – Fixed a bug where CPU speed displayed inflated values after resuming from hibernation on virtual machines
- HID and Input stack power efficiency – Improved battery hygiene for failed HID devices that previously triggered unnecessary power transfers during standby
- Shared Audio – A new feature allowing two users to simultaneously listen to audio from a single Windows 11 PC via Bluetooth LE
The most security-significant component of this update is the continued rollout of renewed Secure Boot certificates, which replace the original certificates issued in 2011 and are scheduled to expire in late June 2026. Microsoft first disclosed this certificate transition in January 2026, following an initial warning to IT administrators issued in November 2025.
KB5089573 expands high-confidence device-targeting data for Secure Boot certificate delivery, ensuring more eligible devices are enrolled in automatic certificate refresh.
Critically, devices receive the new certificates only after demonstrating sufficient successful update signals, a controlled mechanism designed to prevent certificate deployment to unstable systems, where a failed Secure Boot update could render the device unbootable.
For enterprise security teams, the urgency here is real: Secure Boot is a foundational UEFI security mechanism that protects against bootkit and rootkit malware by verifying the digital signature of boot loaders before execution.
If devices fail to receive the renewed certificate before the June expiration, they may encounter Secure Boot validation failures, which could be exploited in targeted attacks or cause operational disruption.
Administrators managing large fleets should immediately audit device eligibility via the Windows release health dashboard and ensure that no devices are blocked by EFI System Partition (ESP) space constraints. This known issue affected some systems during the May 12, 2026 security update (KB5089549) and was resolved by the same KB5089573 build.
This preview update also refreshes four on-device AI components relevant to Windows intelligence features, all updated to version 1.2605.856.0:
| AI Component | Updated Version |
|---|---|
| Image Search | 1.2605.856.0 |
| Content Extraction | 1.2605.856.0 |
| Semantic Analysis | 1.2605.856.0 |
| Settings Model | 1.2605.856.0 |
Security analysts tracking AI model versioning for endpoint behavioral baselines should log these component versions, as deviations from expected AI model builds on monitored endpoints can indicate tampering or unauthorized modification.
Deployment Guidance for Security Teams
Organizations running Windows 11 24H2 or 25H2 across managed environments should assess this update through the following lens:
- Prioritize Secure Boot certificate validation – Confirm that fleet devices are receiving the certificate update ahead of the June 2026 expiration deadline
- Check ESP space – Devices with insufficient free space on the EFI System Partition may silently fail update installation; run the registry workaround (
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Bfsvc" /v EspPaddingPercent /t REG_DWORD /d 0 /f) on affected endpoints - Deploy via WSUS or Endpoint Configuration Manager for phased enterprise rollouts, verifying build numbers reach 26100.8524 (24H2) or 26200.8524 (25H2)
- Monitor Windows Server 2016 environments separately – Microsoft confirmed a separate known issue where KB5087537 (May Patch Tuesday) causes domain controller lookup failures on Server 2016; this is unrelated to KB5089573 but relevant to mixed-environment SOCs.
Microsoft confirmed that no known issues are currently associated with KB5089573 at the time of publication.
FAQ
Q1: Is KB5089573 a security update?
No, KB5089573 is an optional non-security preview update; however, it delivers critical Secure Boot certificate renewal infrastructure ahead of the June 2026 expiration deadline.
Q2: Which Windows 11 versions does KB5089573 apply to?
KB5089573 applies exclusively to Windows 11 versions 25H2 (Build 26200.8524) and 24H2 (Build 26100.8524), released May 26, 2026.
Q3: What happens if my device doesn’t receive the Secure Boot certificate update before June 2026?
Devices that miss the certificate renewal risk Secure Boot validation failures, potential boot disruptions, and increased exposure to bootkit-level malware that Secure Boot is designed to prevent.
Q4: How can enterprise administrators manually deploy KB5089573?
IT admins can deploy KB5089573 via the Microsoft Update Catalog (.msu offline installer), WSUS, Windows Update for Business, or Microsoft Endpoint Configuration Manager.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
