Microsoft is rolling out its June 9, 2026 Patch Tuesday update this week, and it's one of the more important ones of the year for Windows 11 home and small-business users. The cumulative update fixes 78 newly disclosed security flaws — including two zero-day vulnerabilities, one of which is already being used in real-world attacks — and finishes pushing the new Secure Boot certificates that every Windows PC needs before older 2011-era certificates expire on June 24.
What's in the June 2026 update
The June 2026 Patch Tuesday addresses 78 newly disclosed vulnerabilities across the Windows ecosystem, 12 of which are rated Critical. Two zero-day flaws—one actively exploited in the wild—receive emergency fixes.
The actively exploited bug, CVE-2026-34591, is a Secure Boot security feature bypass that allows attackers with physical access or admin rights to load untrusted code during boot. Microsoft has observed the exploit chained with a kernel elevation-of-privilege bug (CVE-2026-34592) in targeted attacks against enterprise and government entities.
Two other fixes stand out for everyday users and small offices. A critical remote code execution flaw (CVE-2026-34603) in the Windows Network File System (NFS) service could let unauthenticated attackers take control of a system by sending specially crafted NFS packets. Organizations relying on NFS in mixed environments should prioritize patching. The update also closes a privilege escalation in the Windows Print Spooler service (CVE-2026-34615), reminiscent of the notorious PrintNightmare saga.
The Secure Boot deadline is now 18 days away
The same update also wraps up Microsoft's year-long Secure Boot certificate refresh. In June 2026, the Secure Boot certificates that have shipped inside Windows since 2011 begin to expire, and Microsoft is replacing them with new 2023-dated certificates. The hard cutoff for the main certificate is June 24.
If your PC doesn't get the new certificates in time, it won't suddenly stop working — but its boot-level security will quietly degrade. The update is required to "ensure Windows devices continue to verify trusted boot software," the company states. Microsoft also notes that while these devices will continue working normally and receive standard updates, they will no longer be able to get new security protections related to the early boot process. Over time, that leaves the door open to bootkit malware that traditional antivirus tools can't see or remove, and may be a problem we have to clean up malware infections from down the road.
Windows 10 users are in a tighter spot. Windows 10 devices not in ESU won't get the new Secure Boot certificates. If you're still on Windows 10 and not enrolled in Extended Security Updates, this is one more reason to plan a move.
How to install the update and check your PC
For most home and small-business users, the update will install itself. The June 2026 Patch Tuesday update will be offered automatically via Windows Update for Windows 11 version 22H2 and later. To install manually, navigate to Settings > Windows Update and click Check for updates. The update cumulative package will appear as "2026-06 Cumulative Update for Windows 11" with a knowledge base ID (KB5040442 for version 23H2/24H2; KB numbers vary per version). A reboot is required, and on some systems an extra restart will happen as the Secure Boot certificates are written into firmware.
To confirm your machine is on the new certificates, go to Windows Security > Device Security, and scroll a bit, you will find the "Secure Boot" section. When it's a "green" check, you're good to go. In my case, it clearly states that Secure Boot is enabled and that all certificates are applied. A yellow or red status means action is needed — typically running Windows Update again, or in some cases a BIOS/UEFI update from your laptop or motherboard maker. Older laptops are the most likely to need that manual firmware step, and that's where bringing the machine into a local repair shop usually beats fighting with vendor support sites.
What can go wrong
Patch Tuesday updates this large occasionally cause trouble — failed installs, boot loops, or PCs stuck on the update screen. The Secure Boot piece adds extra risk this month because it modifies firmware. If any boot component matches a revoked signature, system fails to boot with "Secure Boot violation" error, which leaves the PC sitting at a black screen instead of loading Windows.
If that happens, do not keep retrying the update or wipe the drive. The data on the disk is almost always still intact, and a clean recovery — or, in stubborn cases, professional drive recovery work — is usually all that's needed to get files off before the machine is reset. Desktops with custom BIOS settings and older gaming rigs are particularly worth treating carefully; we frequently see Secure Boot and TPM misconfigurations on machines that end up needing a hands-on desktop repair.
What This Means for York, PA
York-area Windows 11 users should run Windows Update this week and check the Secure Boot status in Windows Security before June 24. If your PC won't install the update, throws a Secure Boot error, or won't boot after restarting, York Computer Repair on Carlisle Road can diagnose it in-shop — call 717-739-9675 or walk in Mon–Fri 9–5.
Sources
- Windows 11 June 2026 Patch Tuesday (June 9): Secure Boot & Key New Features
- Patch Tuesday June 2026: Security Updates & CVE Analysis
- Microsoft reveals what happens to Windows 11 PCs if you ignore the Secure Boot deadline in June 2026
- Microsoft urges Windows Secure Boot update 2026
- Your Windows PC has a security deadline in June 2026