Introduction: A New Folder Appears
Over the past weeks, some Windows 11 users noticed a new folder named SecureBoot appearing in the C:\Windows directory after installing the May 2025 cumulative update (KB5089549). This unexpected addition sparked concern, with a few users wondering if it was a sign of malware or an unwanted intrusion. However, Microsoft has confirmed that the SecureBoot folder is a legitimate, safe component designed to help organizations manage critical security updates. This article explains what SecureBoot is, why the folder is there, and what — if anything — you need to do about it.
What Is Secure Boot and Why Do Certificates Matter?
Secure Boot is a security standard built into Windows (and most modern PCs) that ensures only trusted software runs during the boot process. It prevents unauthorized code, such as rootkits or bootkits, from loading before the operating system starts. This feature relies on a database of certificates stored in the UEFI firmware. When the system starts, it checks the signature of each boot component against these certificates.
As with any certificate, Secure Boot certificates have an expiration date. Microsoft keeps them updated to maintain a high level of trust. In early 2025, it was announced that the currently used Secure Boot certificates would expire in June 2025. If a machine’s certificates become outdated, Secure Boot will no longer verify boot components correctly. The system will still boot, but it will lose the integrity protection that Secure Boot provides, making the PC more vulnerable to certain types of attacks that tamper with the boot process.
To address this, Microsoft has been rolling out new certificates via Windows Update. The May 2025 update (KB5089549) includes these new certificates for many eligible devices. Users who keep their systems updated should not face any issues in June.
The May 2025 Update and the SecureBoot Folder
The same update that brings the new certificates also creates the SecureBoot folder in C:\Windows. According to Microsoft’s support documentation, the folder contains example scripts for IT professionals. These scripts are not active on your system — they are static text files that administrators can use to automate certificate deployment across their organization.
Specifically, the scripts can:
- Detect the current Secure Boot certificate update status on each machine.
- Automate the deployment of new certificates via a safe rollout mechanism in an Active Directory environment.
The folder includes a Sample Secure Boot E2E Automation Guide, which explains how to use these scripts effectively. For home users, the folder is simply a placeholder — it doesn’t run anything or modify system behavior.
What’s Inside the Folder?
If you navigate to C:\Windows\SecureBoot, you’ll find one or more script files (typically .ps1 format), along with a readme document. The scripts are written in PowerShell and are designed to be executed by domain administrators. They are not scheduled tasks or background processes. In other words, they are inert until an administrator runs them manually.
Who Needs to Care? IT Admins vs. Home Users
The SecureBoot folder is primarily a tool for IT administrators in organizations that manage multiple Windows 11 devices through Active Directory. For them, the scripts provide a simpler, more reliable way to ensure all machines in the fleet receive the updated Secure Boot certificates before the June deadline. This is especially important for enterprises that need to maintain security compliance across hundreds or thousands of endpoints.
For home users, the folder changes nothing. You can safely ignore it. It does not affect performance, security, or the functionality of your PC. However, you might be tempted to delete it to reclaim a small amount of disk space (the folder is only a few kilobytes). Should you?
Should You Delete the SecureBoot Folder?
Microsoft explicitly advises not to delete the SecureBoot folder. While it may appear to be unnecessary, Windows Update may check for its presence during future servicing operations. If the folder is missing, a future update could fail, throw an error, or take longer to process as the system tries to recreate the expected environment. Similar scenarios have occurred with other system folders in the past, where removal led to unexpected update failures.
Thus, even if you are a home user and never plan to use the scripts, leaving the folder untouched is the safest course of action. Deleting it provides no benefit but carries a small risk of causing update-related issues down the road.
How to Ensure Secure Boot Certificates Are Up to Date
If you want to verify that your system has the latest Secure Boot certificates, the easiest way is to keep Windows Update fully installed. Check for optional updates as well — the KB5089549 update is mandatory for receiving the new certificates. You can also run the following PowerShell command (as administrator) to check the certificate status:
Get-SecureBootUEFIIf the command returns a valid Secure Boot configuration, your system is up to date. Additionally, the SecureBoot folder scripts can be used to double‑check status, but that is primarily for IT admin scenarios.
Conclusion
The SecureBoot folder is not malware, bloatware, or a privacy concern. It is a practical addition from Microsoft to help enterprise IT admins manage the expiration of Secure Boot certificates. Home users can treat it as a harmless system folder that should remain in place to avoid potential update complications. As always, keeping your system updated is the best defense against security issues, and the May 2025 update is an important step in maintaining a trusted boot environment.