MS-DEFCON 4: Is Microsoft starting to clean up the mess?

By Susan Bradley

Microsoft is slowly but surely starting to roll out Secure Boot security fixes to more and more machines.

I’m therefore lowering the MS-DEFCON level to 4. The May updates include not only the Secure Boot fixes but also a variety of other security-related patches.

Start by installing KB5089549 for Windows 11 and KB5087544 for Windows 10 (for those enrolled in the Windows 10 ESU).

Microsoft is also fixing CVE-2026-41091, CVE-2026-45498, and CVE-2026-45584. These fix the Defender security vulnerabilities called RedSun and Undefend. These updates were included in the latest S/V platform 4.18.26040.7 and Engine 1.1.26040.8. By the time you read this, Microsoft will already have rolled out the update to you.

Microsoft also fixed a few other issues that have triggered headlines. One I’ve recently seen in the news was described as a fix for a “Windows Update bug blocking security patches since March 2026 due to download timeout changes.” However, many news sources failed to go into the details, specifically that this issue didn’t occur in all situations. It occurred only on some devices under certain network-restricted environments, resulting in the inability to download further Windows updates.

That missing nuance means that this is an issue that won’t be seen by the vast majority of Windows users. It will be seen only on Internet-restricted networks. If you’re a consumer and have seen the headlines that there is a bug whereby Windows update won’t download updates, this isn’t the reason.

Microsoft has proactively fixed an issue where the May updates might fail to install with an error. Unfortunately, and frustratingly, Microsoft posts some information only to the admin center, which is not accessible to the general public. I’ve transcribed some of Microsoft’s notes in our Forum post Some devices fail to install updates after upgrading Windows. For one:

After encountering this issue, devices cannot install monthly Windows updates. When you go to Settings then Windows Update then Update history, you might see that Windows updates fail with error 0x80073712/0x800f0993. CBS logs might show error 0x800f0993 (PSFX_E_REBASE_HYDRATION_CANDIDATES_MISSING) or 0x80073712 (ERROR_SXS_COMPONENT_STORE_CORRUPT) when attempting to install updates.

Consumer PCs were proactively fixed:

No new devices in these categories should be affected by this issue starting from May 19, 2026, 6:30 p.m. PT. Restarting the device might allow the resolution to apply sooner. No other action is required beyond a device restart.

I find it extremely annoying that this important information is so inaccessible.

Consumers — Windows

I’m still seeing some confusion about this, so bear with me as I issue another reminder. If the Secure Boot updates are not in place on a consumer PC, the machine will still boot. So, don’t panic. These updates are much more important in a business environment, which is why we have spent so much digital ink on the matter. However, the Secure Boot certificates must be updated for all PCs eventually. As I’ve mentioned before, one of the best write-ups about how to check whether the updates have been installed is the Dell support article How To Check Secure Boot Certificates.

The May updates showcased that, once again, we are still suffering from the OEM issue where systems were installed with a small EFI system partition. This lack of space triggered issues with installing updates with an error code of 0x800f0922. Microsoft has documented the workaround by adding a registry key and then restarting the system and rebooting the computer. The recommended workaround is to run the following command from an elevated command prompt:

reg add “HKLM\SYSTEM\CurrentControlSet\Control\Bfsvc” /v EspPaddingPercent /t REG_DWORD /d 0 /f

Then restart the device and try installing the update again.

Consumers — Apple

Apple released a lot of updates recently. After an update, I often feel that my phone acts somewhat more sluggish and drains the battery a bit more before settling down and going back to what I consider to be normal battery drain during the day. To make sure your device is charging properly, follow these best practice guidelines from the Apple community and check your daily usage in Settings.

Businesses — Windows

For businesses, Microsoft added a folder in your computer that is hiding scripts to assist the IT professional in rolling out Secure Boot. Microsoft MVP Johan Arwidmark explains this in his post Secure Boot Rollout Scripts added in May 2026 Security Update at Deployment Research. This looks like a work in progress, so we may see more scripts released as we get closer to the June expiration date for these certificates.

The Secure Boot updates may trigger a BitLocker recovery key request, so I will once again remind everyone that whenever you have BitLocker enabled, you must know where your recovery key is located. In businesses, that is either in a proper repository or backed up via Entra ID in the cloud. Whenever encryption is involved, there is a responsibility for maintenance.

The GitHub problem

Those of you in business who rely on downloading files from GitHub may have heard about two recent events that showcased risks to the code repository. On May 19, a breach was detected as a result of a malicious Visual Studio Code extension. Team PCP hacking group alleged they had gained access to GitHub source code. In an X post, GitHub indicated:

Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.

In a separate newsworthy item impacting GitHub, an employee at the US Cybersecurity and Infrastructure Security Agency (CISA) left the credentials for both US government AWS accounts and internal CISA systems in a GitHub repository. This was remedied, but both events showcase that anytime you place trust in an external system, you run the risk of security issues.

Review your security practices, where you store your credentials, and which extensions you install. I’ve even seen some developers considering other locations to store their code. This is a time to review your options — especially how you handle software repositories.

Resources

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 26 May 2026 at 6:04 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix