June 9 Patch Tuesday incoming as Secure Boot deadline looms

Microsoft's June 9 Patch Tuesday is a few days away, and it carries more weight than any routine monthly update. It is the final structured deployment window before the 2011-era Secure Boot certificates begin expiring on June 24, leaving any unpatched device in a degraded boot-security state from that date.

The certificate expiration window runs June 24-27. The Microsoft Corporation KEK CA 2011 expires June 24, the Microsoft UEFI CA 2011 expires June 27, and the Microsoft Windows Production PCA 2011 follows in October. Devices that have not received the 2023 replacement certificates before June 24 will not stop working, but they will lose the ability to receive future boot-level security protections, including updates to the Windows Boot Manager, Secure Boot revocation lists, and fixes for newly discovered boot-chain vulnerabilities.

Why June 9 is not a routine update

Microsoft has been rolling out the 2023 replacement certificates since February 2026 through cumulative updates, with the May 12 Patch Tuesday advancing that rollout further. Organisations that delayed the May deployment are now facing a compressed window. The gap between June 9 and the June 24 expiration date is 15 days. For enterprise teams managing large device fleets, that is not a comfortable runway.

Security analysts have clearly flagged the pressure. The decision to defer May deployment to June has reduced the available window by more than 60 percent. Any organisation assuming June 9 restores a normal deployment timeline is wrong. June 9 is emergency triage for teams that missed May.

What to do before June 9 and immediately after

Before June 9, IT administrators should run the following PowerShell command with administrator privileges to check certificate status on any device in question: Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" -Name UEFICA2023Status

The expected result for an OS-driven migration is "Completed." Crucially, a "NotStarted" status is not an automatic failure; it often indicates that the device is already secure because the OEM has injected the 2023 certificates natively via a recent BIOS update. The real red flags to hunt for are a status of "Failed" or hex codes populated in the adjacent UEFICA2023Error key. Anything hitting those failure states after the June 9 deployment requires immediate, manual remediation.

Devices running Windows Server 2025 with certain BitLocker Group Policy configurations require extra caution. The boot-to-BitLocker-recovery bug originated in the April 2026 update cycle. The May update resolved it for Windows 11, but the fix for Windows Server 2025 remains pending, and the behaviour is volatile in some configurations. Server 2025 environments should complete a test deployment before rolling June 9 updates fleet-wide.

June 9 is also expected to address vulnerabilities discovered since the May 12 release, including any that have entered active exploitation in the weeks between cycles. The Netlogon flaw CVE-2026-41089, flagged as actively exploited by the Centre for Cybersecurity Belgium on May 29, is already patched via the May update. Any devices that have not applied that fix should treat June 9 as a double-priority deployment.

The October deadline is next

Completing the Secure Boot certificate transition before June 24 closes the most urgent window but is not the end of the process. The Microsoft Windows Production PCA 2011 certificate, which signs the Windows bootloader itself, expires in October 2026. That is the most structurally significant of the three expirations and the one that carries the greatest long-term boot integrity risk for devices that miss it.

June 9 Patch Tuesday is scheduled to release at 10:00 AM PST.