Microsoft did not publish a new Windows cumulative security update today, and Apple did not list a same-day macOS security release. The important Windows item for June 24, 2026 is planning guidance: Microsoft highlighted new Secure Boot certificate deployment guidance in the Windows message center.
That sounds like a behind-the-scenes firmware detail, but it is worth paying attention to. Secure Boot is part of the trust chain that helps a PC confirm it is starting trusted boot software instead of something malicious or tampered with. Microsoft has been moving Windows devices from older Secure Boot certificates toward newer certificate authorities, and the timing matters because older certificates are reaching expiration milestones in 2026.
For home users, this will usually arrive through normal Windows updates and firmware support. For businesses, schools, managed fleets, virtual machines, and specialty devices, it deserves a little more care. A Secure Boot certificate change is not the kind of update you want to discover only after a remote worker’s laptop asks for a recovery key, a server needs an unexpected reboot window, or a virtual machine boot policy does not match the plan.
What Microsoft posted today
On Microsoft’s Windows message center, Microsoft posted a June 24, 2026 entry titled “Best practices for deploying Secure Boot certificate updates.” The message points administrators to Microsoft’s new article, Best practices for deploying Secure Boot certificate updates, and says that many organizations have already successfully updated certificates for client devices, servers, and virtual machines.
The same message center item also points to upcoming Microsoft events for Secure Boot questions, including a Windows Server Secure Boot AMA and office hours for virtualized environments and OEM scenarios. That is a strong clue about the areas that need the most careful planning: servers, virtual machines, OEM firmware differences, and managed endpoint fleets.
The most useful Microsoft support landing page to keep bookmarked is Windows Secure Boot certificate expiration and CA updates. It links to Microsoft guidance for home users, businesses, schools, IT-managed devices, Intune, Group Policy, registry methods, Azure Virtual Desktop, Windows 365, and Linux on Azure virtual machines.
Why this matters
Secure Boot works by using trusted certificate authorities to validate boot components before Windows loads. When certificates age out, systems need updated trust material so they can continue booting securely and receiving future protections. The goal is good: keep the boot process trusted and reduce the chance that bootkits or unauthorized boot components can slip in before the operating system has a chance to defend itself.
The risk is operational. Updates that touch boot trust, firmware behavior, BitLocker-protected disks, and virtual machine security settings can expose weak spots in an environment. A device may need one more restart than users expect. A laptop may ask for its BitLocker recovery key if firmware or boot state changes are detected. A virtual machine may require a specific Secure Boot template or certificate path. A specialty workstation, older PC, or line-of-business system may have firmware that needs vendor attention before the update path is clean.
Microsoft’s June 2026 Windows non-security preview update notice from June 23 also included a related reminder: recent and upcoming Windows updates may cause a limited number of consumer and business devices to experience one additional restart during installation after a Secure Boot certificate update is applied. That does not mean every PC will have a problem, but it does mean businesses should not treat this as a “click update and hope” maintenance item.
Who should care first
For a single personal Windows laptop, the practical advice is simple: keep Windows Update current, make sure your files are backed up, and know where your BitLocker recovery key is before major update work. You can usually find BitLocker recovery keys tied to a Microsoft account at aka.ms/recoverykey, or your business may store them in Microsoft Entra ID, Intune, or another management system.
For businesses, the priority list is longer. Start with devices that are expensive to interrupt: accounting PCs, front-desk systems, dispatch machines, medical or shop-floor workstations, executives’ travel laptops, domain controllers, Hyper-V hosts, Azure Virtual Desktop pools, Windows 365 Cloud PCs, and any device with firmware settings that are rarely touched.
IT-managed environments should also check how Secure Boot status is monitored. Microsoft publishes guidance for checking Secure Boot certificate update status in the Windows Security app and for using Intune remediations. If a company has Intune, Autopatch, Group Policy, RMM tooling, or endpoint inventory software, now is the time to use it for visibility instead of waiting for users to report a boot problem.
What to do before broad deployment
Before rolling this across a business fleet, take a few practical steps:
- Confirm backups. Important files should be backed up before update work that may involve firmware, boot policy, or recovery prompts.
- Verify BitLocker recovery key escrow. Do not assume the key is saved somewhere useful. Check it before the update window.
- Update in rings. Test a small group first, then expand to similar devices, then move to the full fleet.
- Separate laptops, desktops, servers, and virtual machines. The risk profile is different for each group.
- Watch for extra restarts. Communicate that some PCs may reboot one additional time during the update process.
- Check vendor firmware support. Older business PCs and specialty hardware may need BIOS or UEFI updates from the manufacturer.
- Plan for remote users. A remote worker who sees a recovery screen needs a safe way to contact IT and confirm identity before receiving a recovery key.
What can go wrong
The most common pain point we expect customers to notice is a recovery prompt after a restart. That does not automatically mean the PC is broken. It may mean Windows or firmware detected a boot-related change and BitLocker wants the recovery key before unlocking the drive.
Other possible issues include delayed update completion, users interrupting a restart because they think the computer is stuck, older firmware not handling the update path cleanly, or managed virtual machines needing a configuration review before the certificate update is applied. These are exactly the kinds of issues that are easier to prevent with a small pilot group than to solve in a hurry across an entire office.
What about Macs?
I checked Apple’s official Apple security releases page today. As of this check on June 24, 2026, Apple did not list a new same-day macOS security release, Rapid Security Response, or macOS emergency update. Apple last published that security releases page on June 16, 2026, and there was no new June 24 macOS item listed.
Mac users should still keep Software Update current, especially on business machines that handle email, customer files, financial data, or remote access. There just was not a new macOS security release today that warranted a separate Mac update article.
When to call The IT Guys
Call us before broad deployment if your business uses BitLocker, Microsoft Intune, Windows Autopatch, Hyper-V, Azure Virtual Desktop, Windows 365, domain-joined computers, or older Windows hardware that cannot afford surprise downtime. We can help inventory Secure Boot status, verify recovery key storage, build an update ring plan, check firmware readiness, and schedule the rollout so updates happen when they are least disruptive.
For a small office, the right plan may be as simple as checking backup status, updating a few test machines first, and confirming recovery keys. For a larger or more complex environment, this is a good time to document which devices are protected, which ones are exceptions, and who gets called if a machine lands on a recovery screen after a restart.
Official sources checked
- Microsoft Windows message center – June 24, 2026 Secure Boot certificate deployment guidance entry.
- Microsoft Tech Community: Best practices for deploying Secure Boot certificate updates – linked by Microsoft from the Windows message center.
- Microsoft Support: Windows Secure Boot certificate expiration and CA updates.
- Microsoft Support: June 2026 Windows non-security preview update / KB5095093 – includes Microsoft’s note about possible additional restart behavior tied to Secure Boot certificate updates.
- Apple security releases – checked for same-day macOS security releases or Rapid Security Responses.