Windows 11 March 2026 Hotpatch KB5079420 and Secure Boot Certificate Refresh

Microsoft released a Hotpatch for Windows 11 on March 10, 2026: KB5079420 for OS Builds 26200.7979 (25H2) and 26100.7979 (24H2). The short public-facing summary is intentionally terse—the package is described as delivering miscellaneous security improvements to internal OS functionality, with a specific note that Secure Boot certificate updates will be delivered separately with the April 2026 baseline update. Microsoft also says devices that already have prior updates installed will pull only the delta contained in this hotpatch, and that no issues are currently known for this release.

---

Background / Overview​

Windows’ servicing model has been evolving around two interlocking ideas: quarterly baseline (cumulative) updates and a new class of surgical, low-disruption "hotpatch" updates that can be applied with dramatically reduced downtime. Hotpatching is meant to let Microsoft patch certain security defects without a full reboot cycle, and Microsoft has been expanding the capability from Server preview lanes into Windows 11 Enterprise and eligible managed fleets. The hotpatch program and its administrative requirements (Intune/Windows Autopatch enrollment, hotpatch-enabled quality update policies, and baseline update alignment) are documented in Microsoft’s hotpatch guidance and release notes.
At the same time, Microsoft and OEMs are executing a coordinated, calendar-driven refresh of cryptographic certificates used by UEFI Secure Boot. A family of Microsoft-issued Secure Boot certificates created around 2011 is scheduled to begin expiring in mid‑2026; Microsoft has prepared a replacement certificate family (the "2023 CA" set) and is rolling it out in stages through Windows servicing and firmware cooperation with OEMs. That work is separate from, but operationally related to, recent hotpatch and baseline updates.

---

What KB5079420 actually says — and what it doesn’t​

The public summary, in plain terms​

• The KB entry labels KB5079420 as a Hotpatch for Windows 11 (25H2 and 24H2) and says it "makes miscellaneous security improvements to internal OS functionality."
• It explicitly defers Secure Boot certificate updates to the next baseline Windows update in April 2026, rather than bundling those certificate changes inside this hotpatch.
• The page adds standard boilerplate: devices that already have previous updates will download only what's new in this package, and Microsoft states it is not currently aware of any issues in this update.

The limits of the KB wording​

Microsoft's KB is notably sparse. "Miscellaneous security improvements" is not a granular changelog; it does not list affected components, CVE IDs, performance metrics, or telemetry thresholds that drove the rollout. That lack of specificity is important: for security teams and device managers who need to understand what was changed and whether compensating controls are required, the KB alone is insufficient. When vendors use high-level language for security updates, administrators must look to supporting documentation, targeted advisories, or Microsoft’s security portal for the precise mitigations.

---

Why this hotpatch matters (the immediate signal)​

On paper, KB5079420 is small and procedural. In practice, it communicates two important things:

• Microsoft continues to use hotpatching as a vehicle for delivering security improvements to eligible Windows 11 machines—an operational shift away from always requiring reboots for many security fixes. The hotpatch model reduces disruption for high‑uptime endpoints and can materially improve mean time to remediation (MTTR) for critical vulnerabilities.
• Microsoft is deliberately separating a major platform transition—Secure Boot certificate renewal—into a baseline update delivered in April 2026 rather than mixing it into a hotpatch. That separation signals that the certificate change is being treated as a coordinated, firmware‑sensitive operation with OEM dependencies and therefore needs the wider co‑ordination that baseline servicing provides.

Those two points together show Microsoft balancing speed (hotpatches for urgent OS fixes) with caution (treating Secure Boot key material as a larger, stage‑gated operational change).

---

The Secure Boot certificate refresh — what you need to understand​

The technical problem​

UEFI Secure Boot uses firmware-resident certificate material (PK/KEK/DB/DBX) to validate early boot components. A set of Microsoft-signed certificates issued around 2011 form part of that trust foundation. Those certificates were never intended to be permanent; they have scheduled lifetimes, and Microsoft has warned that elements of the 2011 chain begin expiring in June 2026 (with remaining expiries continuing through October 2026). Devices that fail to receive the replacement certificate family before those expirations will enter a degraded security state: they will, for example, be unable to accept future Secure Boot protections, revocations, or new boot‑time mitigations.

How Microsoft is rolling the change out​

Microsoft and OEMs prepared a replacement certificate family (generated in 2023) and planned a staged, telemetry‑gated rollout. The practical delivery channels are:

• OS‑side servicing (Windows Update / hotpatch/baseline updates) to install the new KEK/DB entries where firmware supports Windows-mediated updates.
• OEM firmware updates for devices whose UEFI implementation requires explicit firmware changes or non-standard variable handling before new trust anchors can persist.
• Manual or scripted updates in constrained environments (servers, air‑gapped systems, or specialized hardware) where automatic flows are not available.

Who is most at risk​

• Older PCs and servers with firmware that never received the 2023 certificate family or that cannot persist Windows-mediated Secure Boot variable updates.
• Devices running unsupported OS versions that are not receiving updates (notably Windows 10 after its end-of-support dates unless enrolled in ESU), because they will not receive Microsoft's update-delivered certificates.
• Air‑gapped or heavily managed fleets that do not receive Windows Update or OEM firmware updates automatically.

The consensus across Microsoft guidance and industry reporting is blunt: most contemporary PCs—especially those manufactured in the last 2–3 years and updated regularly—will be updated automatically. But a material minority of devices, especially in enterprise and server contexts, will require explicit action.

---

Hotpatch mechanics: what administrators must remember​

Hotpatching is not "magic"—it is an engineered, function‑level mechanism that replaces or redirects calls in running binaries to patched implementations, avoiding the need for a full process- or system-level restart for many fixes. That architecture lets Microsoft deliver targeted security changes more quickly and with less disruption, but it has prerequisites:

• Enrollment: Hotpatch requires eligible devices to be on supported Windows SKUs and usually to be managed via Microsoft Intune / Windows Autopatch or similar channels. There are specific quality update policies that must be created and a baseline update applied to place a device onto the hotpatch servicing cycle.
• Baseline alignment: Hotpatch delivery depends on baseline updates (quarterly cumulative updates) to establish a baseline image that the hotpatch engine can safely patch against. Devices that haven't installed the necessary baseline will not be hotpatch-capable even if other prerequisites are met.
• Scope: Not every security fix is hotpatchable. Kernel‑level or broad architectural changes may still require reboots and baseline updates. Administrators should expect hotpatch packages for certain classes of vulnerabilities (function‑level patches) and normal rebooting cumulative updates to remain the backbone of servicing.
• Edge cases & rollback: Hotpatches change running code and therefore introduce new classes of operational failure modes (incompatible drivers, stateful components that assume a reboot, or instrumentation that misattributes in‑place patches). Microsoft documents known limitations and guidance; organizations must test in pilot rings before broad deployment.

---

Practical guidance: a checklist for IT teams​

The dual facts that KB5079420 is a hotpatch and that Secure Boot certificate updates are scheduled for April mean administrators should treat March–April 2026 as a focused maintenance window. Here is a prioritized action checklist:

• Inventory and categorize devices:
• Confirm which devices are on Windows 11 25H2 / 24H2, which are enrolled for hotpatching, and which remain on Windows 10 or earlier. This is foundational—unsupported OS instances will not receive updates.
• Validate hotpatch eligibility:
• Verify Intune/Windows Autopatch enrollment and hotpatch policies for Enterprise devices you expect to receive hotpatches. Ensure baselines required for hotpatch enrollment are installed on pilot machines first.
• Check Secure Boot status and certificate family:
• Run the Microsoft-recommended inventory and PowerShell checks to see whether devices already carry the 2023 CA family or whether firmware updates are required. Microsoft released guidance and tooling (playbook and PowerShell checks) to help with fleet‑scale readiness scanning.
• Coordinate OEM firmware updates:
• For devices flagged as unable to accept Windows-mediated KEK/DB updates, coordinate with OEMs for a firmware ROM or guidance. Firmware vendors may have their own staged rollout calendars.
• Plan pilots and rollback paths:
• Test hotpatch and baseline updates in small pilot rings; monitor Windows Update logs and telemetry. Prepare clean USB recovery media and confirm BitLocker/TPM recovery procedures are documented and tested before mass deployment.
• Consider Windows 10 ESU and server exceptions:
• If you still run Windows 10 on production systems, evaluate Extended Security Updates (ESU) enrollment where available; otherwise, prepare migration plans before mid‑2026 expirations start impacting boot‑time protections.
• Monitor Microsoft communications:
• KB entries, Windows message center notices, and Windows Tech Community AMAs are the authoritative channels for emergent details. Microsoft has run dedicated AMAs and playbooks for the Secure Boot refresh; follow those threads to catch late-breaking OEM caveats.

---

Benefits—and the tradeoffs—of hotpatching in this context​

Benefits​

• Reduced downtime: Hotpatches can be applied with no or minimal reboots for many endpoint classes, a major win for operations teams needing high uptime.
• Faster remediation: When Microsoft can push a function‑level fix as a hotpatch, fleets close windows of vulnerability faster than waiting for the next baseline.
• Operational flexibility: Hotpatching complements rather than replaces baseline updates; it gives admins another lever to tune risk tolerance and scheduling.

Tradeoffs and risks​

• Limited transparency for some hotpatches: As with KB5079420’s terseness, high-level KB language frustrates security teams that expect CVE references and remediation details. Where a KB says only "miscellaneous security improvements," teams must ask for or hunt down the exact mitigations.
• Compatibility hazards: In‑place function replacements can expose latent driver or firmware bugs that only manifest when code is patched live—these interactions can be harder to debug than reboot-based update failures.
• Operational complexity: Hotpatch enrollment and baseline alignment create an additional administrative surface: policies, pilot rings, telemetric gating, and vendor coordination. That complexity raises the management bar for smaller IT teams.

---

What KB5079420 does not fix (and why that matters)​

The KB explicitly states Secure Boot certificate updates will be delivered with April’s baseline update, not March’s hotpatch. That distinction matters because:

• The Secure Boot update is not only an OS change; it interacts with UEFI variables and OEM firmware. Delivering it as a baseline provides a broader change window to coordinate firmware updates and to catch devices that need OEM action.
• Administrators should not assume that applying KB5079420 means Secure Boot certificate concerns are solved. The April baseline is the delivery vehicle for those certificates—and there are known device classes that will still require OEM firmware intervention or manual remediation after April. Treat March’s hotpatch as a separate step in a multi‑stage campaign.

---

Testing and telemetry: practical signals to watch​

When you roll out KB5079420 and prepare for the April baseline, monitor these signals:

• Windows Update client logs (WindowsUpdate.log / event logs) for hotpatch apply success/failure codes. Hotpatch packages have different install markers than reboot‑requiring CUs.
• Secure Boot variable change events and firmware‑level event IDs that Microsoft and OEMs documented during the Secure Boot playbook. Those events will tell you whether the device accepted KEK/DB updates or if the update was blocked/persisted incorrectly.
• Telemetry on boot‑time signature validation failures after the April update—especially on servers, virtualization hosts, and devices with custom boot loaders or third‑party pre‑OS components. These are the devices most likely to show regressions if firmware or driver compatibility is incomplete.

---

Critical appraisal: strengths, gaps, and unknowns​

Strengths​

• Microsoft is shipping security fixes quickly via hotpatches while separating platform‑level certificate changes into a controlled baseline window; that is a sensible operational split for minimizing user pain while ensuring a coordinated, OEM‑aware certificate roll.
• The continued expansion of hotpatch capability is a net win for high‑uptime environments and materially improves the practical security posture by reducing time‑to‑patch.

Gaps and verifiable unknowns​

• The KB content for KB5079420 is not granular. The phrase "miscellaneous security improvements to internal OS functionality" does not allow security teams to map fixes to CVEs, verify mitigations, or prioritize mitigations based on risk. That lack of specificity is verifiable in the KB language itself and should be treated as a documentation gap.
• The Secure Boot certificate update timeline and operational guidance are being published in separate channels (playbooks, AMAs, server blog entries). For teams that only watch monthly KBs, that separation increases the chance of missing firmware‑level remediation needs. Cross‑referencing the Secure Boot playbook and OEM advisories is essential.

Areas where claims should be treated cautiously​

• Any claim that “all devices will be updated automatically” is inaccurate in absolute terms; Microsoft and industry reporting consistently warn of a material minority of devices that will need extra action (firmware updates, manual KEK/DB enrollments). Treat automatic update expectations as probabilistic, not guaranteed.

---

Bottom line and recommended next steps​

KB5079420 is a March 10, 2026 hotpatch that delivers unnamed security improvements to Windows 11 25H2/24H2 and signals an active hotpatching cadence from Microsoft. Importantly, Secure Boot certificate updates are being staged for April 2026 baseline servicing rather than included in this hotpatch, and administrators must treat March–April 2026 as a coordinated maintenance window requiring inventory, firmware coordination, pilot testing, and clear rollback plans.
Action items for teams this week:

• Verify hotpatch enrollment and baseline state for Windows 11 Enterprise devices you rely on.
• Run the Secure Boot readiness scans Microsoft published; catalog devices that will need OEM firmware updates or manual intervention.
• Schedule pilots for both KB5079420 and the April baseline—monitor update logs, Secure Boot variables, and boot‑time validation telemetry during and after the pilot.
• Communicate expectations to stakeholders: most devices will be updated automatically, but a known minority will require manual OEM or firmware work. Prepare helpdesk and OEM escalation playbooks accordingly.

KB5079420 is small in appearance but sits at the center of a larger, time‑sensitive platform change. Treat it as one step in a multi‑stage remediation plan and use it as the trigger to validate the readiness of your fleet for the Secure Boot certificate rollover that follows in April.

---

---

Source: Microsoft Support March 10, 2026—Hotpatch KB5079420 (OS Builds 26200.7979 and 26100.7979) - Microsoft Support