The September 2025 non-security preview update for Windows 10, version 22H2 is rolling out and brings a small set of quality improvements — and a firm deadline-driven set of actions administrators and advanced users must take this fall to avoid disruption. Microsoft packaged this preview as the final non-security preview for Windows 10 22H2, and it consolidates fixes that relate to recent cumulative updates while surfacing two urgent platform-level timelines: Windows 10’s end of free mainstream support on October 14, 2025, and a set of Secure Boot certificates that begin expiring in June 2026. Both timelines have tangible operational impact on boot security, update delivery, and migration planning. This article summarizes what’s in the preview, explains the risks, and offers a step-by-step readiness plan for home users, PC fleets, and enterprise environments.
Background / Overview
Windows 10, version 22H2 is now in its final update phase. The September 2025 non-security preview consolidates quality fixes and servicing stack improvements first introduced in earlier September packages and preview builds. Administrators should expect only the delta (new bits) to be delivered if previous packages are already installed.Two platform-wide milestones dominate the context:
- Windows 10 end of support: Microsoft will stop providing free security and non-security updates, and technical assistance for Windows 10 after October 14, 2025. Options include upgrading to Windows 11, enrolling eligible devices in a limited Extended Security Updates (ESU) offering, or migrating to alternative platforms.
- Secure Boot certificate expiry: A set of Microsoft Secure Boot certificates — used widely in firmware KEK/DB/DBX entries — begins to expire starting June 2026. Devices that do not receive updated certificates before expiry may be unable to trust or receive security updates for pre-boot components, and in some cases might fail Secure Boot verification.
What’s in the September 2025 non-security preview
This preview is small by design: it’s a Release Preview level update intended to finalize servicing stack improvements and quality fixes. Key items to note:- Servicing Stack Improvements: The servicing stack (the component responsible for safely applying Windows updates) received reliability and quality fixes to improve update installation success rates.
- Consolidated fixes from recent updates: The preview bundles the quality improvements that were part of the September 9, 2025 cumulative release, enabling administrators to validate fixes in the Release Preview ring before broader deployment.
- Miscellaneous internal security hardening: The preview includes non-public internal improvements that harden the OS servicing and update logic.
- SMBv1 protocol connectivity (known issue resolved): After the September 9 cumulative update, some environments using legacy SMBv1 over NetBIOS over TCP/IP (NetBT) experienced failures when attempting to connect to shares. The preview contains a remediation for that behavior. Important: SMBv1 remains deprecated and should not be considered a long-term solution.
- Windows Autopilot Enrollment Status Page (ESP) loading during OOBE (known issue resolved): Devices deployed via Autopilot with ESP configured may have observed the ESP failing to appear during Out-of-Box Experience. The preview addresses this for the affected 22H2 builds.
Why the Secure Boot certificate expiry matters
Secure Boot is a firmware-level control that prevents untrusted bootloaders and pre-OS components from loading. Microsoft (in partnership with OEMs) maintains certificates in the KEK/DB that firmware and Windows use to validate signatures for boot components, including the Windows bootloader itself. A family of Microsoft-provided certificates issued in 2011 are scheduled to expire beginning in June 2026. Microsoft issued a coordinated replacement set (2023-era certificates) and has been rolling them out through update mechanisms and OEM firmware updates.Why this is operationally significant:
- When a KEK/DB certificate used to validate updates or boot components expires, devices that haven’t received the new 2023 certificates may stop receiving Secure Boot updates for pre-boot components and may fail to trust newly signed bootloaders or option ROMs.
- Systems might lose the ability to install future Secure Boot updates for DB/DBX entries after expiry, jeopardizing protection against firmware and pre-OS threats such as bootkits.
- Virtual machines and older physical devices that do not receive the certificate updates may face boot trust issues — some Linux distributions and components (shim, signed Linux kernels) are also affected where they rely on the expiring Microsoft keys.
Windows 10 end of support: immediate implications
The support horizon for Windows 10 ends on October 14, 2025. After that date:- Microsoft will no longer provide routine security or non-security updates, feature updates, or complimentary technical support for Windows 10.
- PCs will continue to function, but risk exposure to unpatched vulnerabilities increases over time.
- Microsoft offers a consumer Extended Security Updates (ESU) option that extends critical/important updates for an additional limited period; details and eligibility vary (and enrollment requirements apply).
- Organizations that must remain on Windows 10 may use paid ESU or other commercial options.
What IT admins and power users should do now — prioritized checklist
Below is a practical, high-priority checklist sized for quickly actionable steps. Follow the numbered order for efficient risk reduction.- Inventory and triage
- Identify all Windows 10 devices (Home, Pro, Enterprise, Education, IoT) and their current OS build and firmware versions.
- Flag devices that are not centrally managed (BYOD or personal PCs), UEFI vs legacy BIOS, and those that still rely on SMBv1 or NetBT for file sharing.
- Update to 22H2 (if not already)
- Use the enablement package KB5015684 for eligible devices to move to 22H2 with a minimal reboot footprint.
- Ensure servicing stack updates (SSU) prerequisites are installed before the feature enablement package to minimize update failures.
- Plan Windows 11 migrations for eligible hardware
- Verify Windows 11 compatibility for devices targeted for upgrade. Prioritize business-critical systems for migration testing.
- Build a migration schedule to replace or upgrade devices before October 14, 2025.
- Enroll in ESU if migration isn’t feasible
- For systems that cannot be upgraded, evaluate the consumer or enterprise ESU options to obtain security updates beyond October 14, 2025.
- Secure Boot certificate readiness
- Ensure Windows Update reaches all devices that normally receive Microsoft-managed updates; this will deliver the 2023 CA certificates to many devices automatically.
- For IT-managed devices, use official guidance to deploy the new CA certificates to KEK/DB entries using supported management tools (Intune, WSUS, SCCM) and firmware update processes.
- Coordinate with OEMs for firmware/BIOS updates to ensure UEFI-level support for new certificates when required.
- Mitigate SMBv1 problems and remove dependencies
- Where legacy SMBv1 usage exists, modernize file shares to SMBv2/SMBv3 and enable direct TCP (port 445) connectivity as an intermediate workaround.
- If NetBT usage must continue, plan migration timelines and scripts to update clients and servers off SMBv1.
- Validate Autopilot / OOBE flows
- Re-run Autopilot deployments in a test ring after applying the non-security preview to ensure Enrollment Status Page (ESP) behavior is restored.
- Backup and recovery readiness
- Ensure full backups and recovery images are recent prior to mass updates or firmware changes. Emphasize offline backup and system images for critical endpoints.
- Test and stage updates
- Use a phased deployment: test ring -> pilot -> broad deployment. Include rollback validation for each stage.
- Monitor Microsoft release channels and OEM advisories
- Keep a watch on vendor firmware advisories for devices in your estate, as OEM firmware may be required to fully complete the Secure Boot certificate replacement on some models.
Technical mitigation details and commands (concise reference)
- Check whether SMBv1 is enabled (PowerShell): use appropriate Get-WindowsOptionalFeature or DISM queries on Windows 10 to detect SMB1Protocol presence.
- Force SMB to use TCP 445 as a temporary workaround: ensure firewall rules and network devices permit TCP 445; this allows SMB clients to connect over TCP rather than NetBIOS over TCP/IP (NetBT).
- Validate Secure Boot certificate state: inspect UEFI KEK/DB entries — in enterprise scenarios use recommended management tooling to export and audit KEK/DB variables before and after updates.
- Update servicing stack: apply the latest SSU prior to LCU (latest cumulative update) to avoid known installation failures.
Strengths of Microsoft’s approach and what’s changed
- Proactive certificate replacement: Microsoft issued replacement 2023 CA certificates well in advance and documented an OS-level delivery path for many devices — giving IT teams months to prepare before the June 2026 expiry window.
- Roll-forward remediation via Windows Update: For devices receiving Microsoft-managed updates, the certificate rollout is mostly automatic, lowering the support burden on many consumers and SMBs.
- Focused previews and servicing improvements: The September non-security preview targeted servicing stack and edge cases (SMBv1, Autopilot) — changes designed to reduce update friction during a high-stakes migration season.
- Clear lifecycle deadlines: The Windows 10 end-of-support timeline is explicit, allowing organizations to create concrete migration schedules and budget for ESU where necessary.
Risks, limitations and potential failure modes
- OEM firmware dependency: Not all systems receive firmware updates at the same cadence. Older or discontinued models may never receive required firmware changes, leaving them vulnerable or unable to complete certified Secure Boot transitions.
- Devices managed off Microsoft update channels: Machines that avoid Microsoft-managed updates (air-gapped systems, strict telemetry settings, or certain privacy configurations) may not receive the OS-delivered certificate updates automatically. These must be updated manually by IT.
- Legacy stacks and custom appliances: Systems relying on SMBv1 or custom option ROMs may require deep remediation work — migrating legacy appliances or providing alternate file access methods can be time-consuming and costly.
- Linux and third-party impacts: Linux distributions that rely on Microsoft-signed shim or keys may break Secure Boot on affected systems if OEM firmware does not add the new certificates. Some Linux-savvy users may need to manage their own keys or disable Secure Boot (which carries security tradeoffs).
- Worst-case boot failure risk: Although most devices will receive non-disruptive updates, an improperly applied firmware or KEK/DB change could cause boot failures or require complex remediation in the field.
- Compressed timeline for migrations: With Windows 10 free mainstream support ending on October 14, 2025, and Secure Boot certificates expiring June 2026, organizations face a compressed planning window to both migrate and ensure boot security continuity.
Practical guidance for small businesses and home users
- Ensure Windows Update is enabled and that devices are receiving quality updates. For many consumer systems, Microsoft-managed updates will deliver new Secure Boot certificates automatically.
- If upgrading to Windows 11 is an option, plan the migration now. For systems that meet Microsoft’s Windows 11 hardware requirements, upgrades are generally free and avoid the Windows 10 end-of-support window.
- For systems that cannot be upgraded, research the consumer ESU path or consider replacing the hardware. Make full backups before any major OS or firmware changes.
- Avoid disabling Secure Boot as a permanent workaround — doing so reduces pre-boot protections and exposes the device to bootkit-class threats. Use it only as a temporary diagnostic step.
- If you run Linux on a Secure Boot-enabled machine, confirm whether your distro and shim have been updated to the new signing keys and whether your firmware recognizes the new keys. If not, prepare alternatives (manual key enrollment, latest shim packages, or firmware updates).
Recommendations for enterprise/IT pros — policy, tooling, and testing
- Patch management adjustments: Ensure WSUS, SCCM, Intune, or your chosen management stack is configured to surface and deploy the 2023 certificate updates and latest SSU/LCU packages.
- Firmware update cadence: Coordinate with OEMs to obtain firmware updates that include vendor-side KEK/DB adjustments. Automate firmware deployment where possible.
- Security policy updates: Revisit Secure Boot-related policies and document key enrollment processes for devices managed by IT. Test sample devices thoroughly before mass rollouts.
- Autopilot and provisioning testing: Validate Autopilot+ESP flows in a lab with the September preview installed to confirm OOBE behavior is stable for new devices.
- Incident playbook: Prepare a recovery playbook for potential boot failures, including offline media, UEFI key backup/export procedures, and local reimage strategies.
- Communication: Send timely user-facing communications for any user-visible changes (reboots, firmware updates) and provide self-service guidance for home users within mixed environments.
Final assessment and timeline
- Immediate (now–October 14, 2025): Finish migration planning and start Windows 11 pilot upgrades. Apply the September preview into pilot rings and verify Autopilot flows and file share access patterns. Enroll mission-critical devices into ESU if migration is not feasible.
- Short term (Oct 2025–Mar 2026): Execute staged migrations, apply OEM firmware updates as they become available, and validate certificate rollouts. Confirm that systems receive 2023 CA certificates via Windows Update or management tooling.
- Medium term (Apr 2026–June 2026): Verify all devices have updated certificates well before the June 2026 expiry. Re-check any devices that are offline, air-gapped, or managed outside Microsoft update channels.
- Contingency (post-June 2026): For devices that cannot receive certificate updates, prepare remediation steps (firmware updates, manual KEK/DB updating, replacement hardware, or controlled decommissioning).
Closing analysis
The September 2025 non-security preview is more than a small maintenance rollup — it’s a checkpoint in a tightly constrained sequence of changes that includes Windows 10’s end of support and a firmware-level certificate lifecycle. The technical fixes for SMBv1 and Autopilot ESP reduce immediate friction for admins, but the broader operational work now centers on certificate rollouts, OEM firmware coordination, and completing Windows 10 migration where required. Organizations that proactively inventory devices, validate OEM firmware availability, and adopt a staged rollout approach will avoid the most disruptive outcomes. Conversely, teams that delay or rely on unsupported legacy protocols or firmware could face boot trust issues or lose the ability to receive pre-boot security updates after the certificate expiry window begins.Act now: finalize migration plans, verify Secure Boot certificate state across your estate, and ensure firmware update channels are in place. The combined deadlines form a short window where planning, testing, and execution will determine whether this fall and next spring remain ordinary maintenance seasons — or a period of emergency remediations and costly last-minute replacements.
Source: Microsoft - Message Center September 25, 2025—KB5066198 (OS Build 19045.6396) Preview - Microsoft Support
