Share via

Windows ADK upgrade to 10.1.26100.2454

Swati Arora 156 Reputation points
2026-04-07T06:14:55.8033333+00:00

Working on windows 10 22H2. Need to upgrade to ADK 10.1.26100.2454. Not sure should I just reload existing bootwim with new ADK or re-create a brand new WinPE.

Can someone help clarify below as well

  1. Would new bootwim will include both certificates 2011 and 2023
  2. If mainly WinRE is being used and we don't want to create new WinPE, Win PE add-on isnt necessary during ADK upgrade right ?
  3. Post this upgrade and post 2011 certificate expiration, we don't have to manually take any other actions right ? Currently we have BIOS upgrade in progress.

Please advise any more pre-requisites I have missed as doing it for the first time.

Thanks

Windows for business | Windows Client for IT Pros | Devices and deployment | Set up, install, or upgrade
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-04-07T06:15:09.7266667+00:00

    The Windows ADK 10.1.26100.2454 (December 2024), when serviced with the latest ADK patch, is the currently recommended version and supports Windows 10 and Windows 11, including Windows 10 22H2.

    From the provided information, only the following points are supported:

    1. The ADK and WinPE add-on installers in 10.1.26100.2454 have been updated to remove a vulnerability in the KitBuilder infrastructure, and the ADK patch KB5079391 fixes CVE‑2026‑25166 in WSIM and adds Secure Boot validation improvements in the OA3 Tool. There is no explicit statement in the context about which specific Secure Boot certificates (2011 vs 2023) are present in the boot.wim or WinRE images created with this ADK.
    2. To use Windows PE features (including creating or updating WinPE boot images), the Windows PE add-on for the ADK 10.1.26100.2454 must be installed. The context does not state that the WinPE add-on is optional if only WinRE is used, nor does it describe a WinRE‑only workflow for this ADK version.
    3. The OA3 Tool in the patched ADK is updated to validate Secure Boot certificate configuration on factory-built devices due to Secure Boot CA expirations beginning in June 2026, and OEMs are recommended to adopt this ADK and use the updated OA3 Tool for all factory provisioning. The context does not state that no further action is required after ADK upgrade and BIOS updates, nor does it describe all post‑expiration behaviors or required steps.
    4. The ADK patch mechanism allows updating ADK 10.1.26100.2454 and newer without uninstalling/reinstalling the entire kit. When a significant security patch is released, it is explicitly called out on the ADK servicing page. For this ADK version, applying KB5079391 (or newer) is explicitly recommended.

    Because the context does not provide detailed guidance on:

    • whether to reuse an existing boot.wim vs. recreate a new WinPE image in this specific upgrade scenario,
    • exact certificate contents (2011 and 2023) of new boot images or WinRE,
    • or a complete list of prerequisites and post‑upgrade steps for Secure Boot key rollover, no additional steps or guarantees beyond the above can be stated based on the provided material.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

    1 person found this answer helpful.
  2. VPHAN 33,990 Reputation points Independent Advisor
    2026-04-10T14:23:35.6166667+00:00

    Hi Swati Arora,

    How is your issue going? Has it been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)

    VP

    Was this answer helpful?

    0 comments
  3. VPHAN 33,990 Reputation points Independent Advisor
    2026-04-08T03:36:31.2933333+00:00

    Swati Arora

    You're absolutely clear to proceed with the upgrade. The ADK version 10.1.26100.2454, while built on the Windows 11 architecture, is fully backward compatible and officially supported for deploying Windows 10 22H2. Moving directly to the December 2024 patch release as you referenced is the correct approach, as it resolves several component injection bugs present in the initial 26100 build. Your existing Windows 10 operating system images will deploy seamlessly using this newer environment.

    Before executing the upgrade, your primary prerequisite check should focus on your deployment infrastructure versioning. If you utilize Microsoft Endpoint Configuration Manager to handle your task sequences, you must verify your site server is running at least version 2403 to guarantee full compatibility with the 26100 ADK. Attempting to use this ADK with an older Configuration Manager build can trigger task sequence execution errors or cause boot image distribution failures across your environment.

    You must also evaluate the scripts executing within your WinPE phase. Because the 26100 build mirrors Windows 11 24H2, VBScript has officially entered its deprecation phase. If your deployment relies on legacy VBScripts, you must explicitly inject the WinPE-Scripting and WinPE-WMI optional packages from the %ProgramFiles(x86)%\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs directory into your new boot image. Failing to include these specific packages will result in immediate runtime or script initialization errors during the early stages of your deployment.

    Hope this helps :)

    VP

    Was this answer helpful?

    0 comments
  4. VPHAN 33,990 Reputation points Independent Advisor
    2026-04-07T06:55:05.67+00:00

    Hi Swati Arora,

    Moving to the 26100 ADK requires you to generate a brand-new WinPE image because servicing an existing Windows 10-based boot.wim with Windows 11-based binaries often leads to versioning conflicts in the registry and the component store. By using the fresh winpe.wim found in the %ProgramFiles(x86)%\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment path, you ensure that all underlying binaries are natively signed with the Microsoft UEFI CA 2023. This is vital because the new boot image will include both the 2011 and 2023 signatures, allowing it to remain bootable after the 2011 certificate is eventually revoked at the firmware level.

    You can't skip the Windows PE Add-on installation even if your workflow focuses on WinRE. The base ADK installation only provides the deployment tools and command-line utilities, while the actual bootable environment source files reside exclusively within the Add-on. Without this component, you will lack the necessary files to create or modify any recovery or deployment media. Since version 26100 is based on the Windows 11 architecture, you must also account for the fact that x86 (32-bit) WinPE is no longer supported; you will be working strictly with x64 environments.

    Regarding the certificate transition, while the new ADK handles the software side, your primary manual action is ensuring your BIOS updates successfully apply the updated Secure Boot Forbidden Signature Database (DBX) to your hardware fleet. If the BIOS upgrade does not correctly update the Revocation List, your devices might still be vulnerable or fail to validate the new signatures correctly. Additionally, ensure any custom drivers you inject into the new WinPE are compatible with the latest UEFI requirements to prevent "Digital Signature" error codes during the boot sequence.

    Hope this answer brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

    VP

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.