Windows 11 KB5089549 Creates New SecureBoot Folder, Microsoft Says It’s Normal

Microsoft has clarified that the new SecureBoot folder appearing after installing Windows 11 update KB5089549 is intentional and not a bug, as Windows Latest writes.

The folder started showing up inside the Windows directory after users installed the May 2026 cumulative update for Windows 11. Some users feared it was related to a failed update or an unwanted system change, but Microsoft now says the folder is part of the company’s Secure Boot certificate transition process.

Microsoft preparing PCs for Secure Boot certificate changes

According to Microsoft, Secure Boot certificates created in 2011 or earlier will begin expiring in June 2026. To avoid compatibility and boot issues, the company is replacing older certificates with newer Secure Boot 2023 certificates.

The SecureBoot folder helps prepare supported systems for that rollout. Microsoft says devices usually receive the newer certificates automatically through Windows Update after installing cumulative updates and rebooting once or twice.

However, the rollout still depends on firmware compatibility. Some older PCs may fail to receive the new certificates if their firmware remains outdated.

Why the folder suddenly appeared

Microsoft updated its support documentation after users noticed the folder appearing on both enterprise and consumer PCs, including Windows 11 Home systems.

The company explained that the folder mostly exists for IT administrators managing large numbers of devices. It contains several PowerShell scripts designed to help monitor and validate the Secure Boot certificate deployment process.

Even though the scripts target enterprise environments, Microsoft says the folder can still appear on regular consumer systems as part of the broader rollout.

What is inside the SecureBoot folder

The SecureBoot folder currently contains seven PowerShell scripts.

Microsoft says the scripts do not make changes automatically on their own. Instead, they help verify whether systems received the newer Secure Boot 2023 certificates correctly.

One script checks if the new certificates are installed and then saves the result into a JSON file. Another script verifies that the scheduled Windows task responsible for applying certificates remains enabled.

The scripts appear to serve mainly diagnostic and deployment purposes rather than actively modifying the operating system.

Microsoft says users should not delete it

Microsoft says there is no reason to manually remove the SecureBoot folder.

The company notes that future Windows updates may still rely on the files inside the folder during the certificate migration process. Microsoft could also remove the folder automatically later once the transition fully completes.

For now, Microsoft recommends leaving the folder untouched.

KB5089549 also causing installation problems

The clarification arrives as some Windows 11 users continue reporting installation failures with KB5089549.

Microsoft has now acknowledged those installation issues and says it is working on a fix. The company has not yet shared details about what causes the failures or when a permanent resolution will arrive.