Microsoft ships new WinRE and Setup updates as Secure Boot certificate deadline gets closer
5 min. read 
Published on
Microsoft has released two new dynamic updates for Windows 11 versions 24H2 and 25H2, KB5081494 and KB5083482, both dated March 26, 2026. KB5081494 updates Windows Setup components used during feature updates, while KB5083482 updates the Windows Recovery Environment, also known as WinRE.
The bigger message attached to both releases is Microsoft’s renewed warning about Secure Boot certificate expiration. Microsoft says Secure Boot certificates used by most Windows devices begin expiring in June 2026, and it urges organizations to review the official guidance and update certificates in advance.
That warning matters, but the risk needs careful framing. Microsoft does not say affected systems will suddenly stop booting in all cases. Instead, the company says devices without the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will still install, but those systems will no longer receive new security protections for the early boot process.
KB5081494 updates Windows Setup for 24H2 and 25H2
KB5081494 is a Setup Dynamic Update for Windows 11 version 24H2 and 25H2. Microsoft says it improves Windows Setup binaries and other files used during feature updates, which means it is aimed at upgrade reliability rather than visible user-facing features.
Microsoft also says KB5081494 replaces the earlier KB5079271 release. The update has no prerequisites, does not require a restart, and arrives through Windows Update, the Update Catalog, and WSUS.
That makes this a routine but important servicing update. It is the kind of package IT teams usually fold into deployment media and upgrade workflows so future feature updates go more smoothly. That last point is an inference based on the update’s purpose and distribution model.
KB5083482 updates WinRE and fixes an ARM64 emulation issue
KB5083482 is the Safe OS Dynamic Update for the same Windows 11 versions. Microsoft says it improves the Windows Recovery Environment and fixes a kernel-related issue that stopped x64 applications from running under emulation on ARM64 inside WinRE.
Microsoft also says KB5083482 replaces KB5079471. Unlike the Setup update, this WinRE package cannot be removed once it is applied to a Windows image, and Microsoft says the installed WinRE version should read 10.0.26100.8107 after deployment.
That fix matters for recovery scenarios on ARM devices. If admins rely on x64 tools while troubleshooting or repairing Windows installations in WinRE, this update should reduce friction in those cases. That is a reasonable interpretation of Microsoft’s published fix note.
What Microsoft actually warns about with Secure Boot
Microsoft’s Secure Boot guidance says the original Microsoft Secure Boot certificates issued in 2011 begin expiring in June 2026, with one of the listed certificates expiring later in October 2026. To keep receiving Secure Boot-related protections, devices need the newer 2023 certificates in the KEK and DB stores.
The practical impact is narrower than some headlines suggest. Microsoft says a device that misses the certificate refresh will still boot normally and continue to receive regular Windows updates. What it will lose is the ability to receive new protections for Boot Manager, Secure Boot databases and revocation lists, and other early-boot security improvements.
Microsoft also says most personal Windows devices should receive the new certificates automatically, while some systems may need OEM firmware updates. For managed environments, the company tells IT admins to follow the Secure Boot certificate update guidance and playbooks rather than assume the process is fully automatic across every device class.
Key details at a glance
| Update / issue | Verified detail |
|---|---|
| KB5081494 | Setup Dynamic Update for Windows 11 24H2 and 25H2 |
| KB5081494 purpose | Improves Windows Setup binaries and related files used for feature updates |
| KB5081494 restart required | No |
| KB5081494 replaces | KB5079271 |
| KB5083482 | Safe OS Dynamic Update for Windows 11 24H2 and 25H2 |
| KB5083482 purpose | Improves WinRE and fixes x64 app emulation on ARM64 in WinRE |
| KB5083482 removable | No, once applied to a Windows image |
| Expected WinRE version after KB5083482 | 10.0.26100.8107 |
| Secure Boot certificate deadline | Existing 2011 certificates begin expiring in June 2026 |
| If certificates are not updated | Devices still boot, but lose future boot-related security protections |
What admins should do now
- Deploy KB5081494 and KB5083482 through normal servicing channels if your environment uses Windows 11 24H2 or 25H2.
- Add the Setup and Safe OS updates to your imaging and feature update workflows. This follows from Microsoft’s description of how these packages are used.
- Review Microsoft’s Secure Boot certificate guidance now, especially for business-managed PCs, servers, and any systems that may require OEM firmware support.
- Verify WinRE versioning after KB5083482 if you need confirmation that the Safe OS update landed correctly. Microsoft says the post-install WinRE version should be 10.0.26100.8107.
FAQ
Not in the way the sample article suggests. Microsoft says affected devices will still start and operate normally, and regular Windows updates will continue. The main loss is future boot-related security protections unless the 2023 certificates are installed.
It updates Windows Setup binaries and related files used during feature updates for Windows 11 24H2 and 25H2.
It updates WinRE and fixes an issue that prevented x64 applications from running under emulation on ARM64 in the recovery environment.
No. Microsoft says this Safe OS Dynamic Update cannot be removed once it is applied to a Windows image.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages