KB5063875: Aug 2025 Windows 11 LCU+SSU for 22H2/23H2 with Secure Boot

Microsoft has published the August 12, 2025 cumulative security update for older Windows 11 branches — KB5063875, which updates OS Builds 22621.5768 and 22631.5768 — delivering a combined Latest Cumulative Update (LCU) and Servicing Stack Update (SSU) for devices still on Windows 11 versions 22H2 (Enterprise/Education) and 23H2 (all editions). The release is a focused security rollup that carries forward fixes from prior monthly updates, bundles a servicing‑stack refresh (KB5062686), explicitly calls out the looming Secure Boot certificate expiration program, and reiterates end‑of‑servicing timelines for 22H2 Enterprise/Education. Microsoft lists no known issues at publication; the update is available via Windows Update, Windows Update for Business, WSUS and the Microsoft Update Catalog. (support.microsoft.com)

---

Background / Overview​

Windows servicing in 2024–2025 has two parallel branch families in active circulation for many customers: the newer 24H2 channel (OS builds based on the 26100 family) and older 23H2 / 22H2 channels (OS builds based on the 22621 / 22631 family). Microsoft continues to publish monthly cumulative updates for those older channels when they remain in support; KB5063875 is the August 12, 2025 security update targeted at the 22621.5768 and 22631.5768 builds. The release model used here — combining the SSU with the LCU into a single package — is intended to make patch application more reliable and reduce installation failures. (support.microsoft.com)
Two platform notes are essential context for administrators:

• Build duality: 22621 and 22631 represent two build families used to gate feature exposure; 22621 commonly ships features off by default, while 22631 is the “feature‑on” variant for more aggressive rollouts. That remains true for cumulative servicing updates like KB5063875.
• End of servicing: Microsoft reminds administrators that some 22H2 SKUs have limited future servicing windows — notably, Enterprise/Education editions of 22H2 continue to receive security updates through a fixed date but no longer receive preview (non‑security) updates; customers should plan migrations to supported versions. (support.microsoft.com)

This update sits squarely in the security + quality bucket. It backfills fixes from prior updates (including July 2025 releases), refreshes the servicing stack to improve update reliability, and carries targeted quality fixes — including at least one direct reliability fix for Copilot key behavior on affected SKUs. (support.microsoft.com)

---

What KB5063875 Contains​

Highlights and headline fixes​

Microsoft’s public release notes (the KB article) summarize the package as a security update with quality improvements. Key points called out by Microsoft include:

• Security fixes across the OS as listed in the August 2025 security update roll‑up (full CVE listings are in Microsoft’s Security Update Guide).
• Servicing Stack Update (SSU): KB5062686 is included to strengthen the component that installs Windows updates and to reduce future installation failures.
• Copilot reliability: a specifically documented fix improves the Copilot key behavior and resolves an issue preventing restart of Copilot after the key was used (applicable to the 22H2 Enterprise/Education summary that ships backported fixes). (support.microsoft.com)

Microsoft explicitly states that, for 23H2 devices, this build “includes all the improvements in Windows 11, version 22H2” and that there are no additional issues documented in this release at publication time. Administrators should take that at face value but pair it with pilot testing — real‑world diversity of hardware and drivers can still surface regressions. (support.microsoft.com)

Servicing details and uninstall behavior​

Because the package bundles an SSU and LCU, you cannot uninstall the SSU once the combined package is applied. If you need to remove the LCU portion after installation, Microsoft documents a DISM /Remove‑Package workflow that identifies and removes the LCU package by name, but the SSU remains. Windows Update Standalone Installer (wusa.exe) cannot be used to uninstall the combined package with the /uninstall switch. This is a critical operational limitation for recovery planning. (support.microsoft.com)

---

Secure Boot certificate expiration: the important advisory​

One of the most consequential items reiterated in the KB is the Secure Boot certificate expiration advisory. Microsoft reminds organizations that certificates issued in 2011 (key Secure Boot CA/KEK values) are scheduled to begin expiring starting in June 2026. If devices do not receive the updated 2023‑era certificates (or equivalent firmware updates), affected machines may be unable to apply pre‑boot fixes or might fail to boot securely under existing Secure Boot policies. Microsoft has provided a multi‑pronged rollout plan to replace those certificates in platform KEK/DB variables and in the OS where applicable. (support.microsoft.com)
Why this matters in practice:

• Availability risk: an unmanaged or air‑gapped fleet that never receives the certificate update could, in edge cases, experience boot failures or refused updates for pre‑boot components.
• Firmware interplay: Secure Boot trust anchors are partly held in firmware (UEFI NVRAM variables). Updating OS packages alone may be insufficient for some devices; firmware/UEFI vendor cooperation is required.
• Long lead time: Microsoft’s explicit six‑ to twelve‑month timeline is a call to action — administrators should inventory devices, confirm firmware vendor support, and plan certificate distribution for offline or controlled networks. (support.microsoft.com)

Independent reporting and industry analysis have repeatedly flagged this program as high‑impact and requiring administrative coordination; credible vendor and community coverage underscores that the problem is not hypothetical. Treat this as a project — not a routine patch. (bleepingcomputer.com, borncity.com)

---

Who should install KB5063875, and how to get it​

• Consumers and managed devices on Windows 11, version 23H2 (all editions) and Windows 11, version 22H2 (Enterprise and Education) should receive KB5063875 automatically through Windows Update and Windows Update for Business where configured. IT teams using WSUS will see the update sync when configured for Windows 11 security updates; the standalone MSU package is available in the Microsoft Update Catalog for manual or offline deployment. (support.microsoft.com)
• The update is classified as a security update (LCU) and will be delivered in the normal monthly servicing cadence. Test ring deployments (pilot groups) are strongly recommended before broad enterprise rollout. Use staged deployment with Intune/Configuration Manager or WSUS to limit exposure until sufficient validation is complete.
• If you need to remove the LCU after installation:
• Identify installed packages: run DISM /online /get‑packages.
• Remove the specific LCU package: DISM /online /remove‑package /packagename:<name‑from‑get‑packages>.
• You cannot remove the SSU after installation — rollback will not fully restore pre‑update servicing stack state. (support.microsoft.com)
• For environments that cannot receive updates directly from Microsoft (air‑gapped/isolated), download the offline installer from the Microsoft Update Catalog and follow documented offline servicing steps. The KB article points to the catalog for the associated files information. (support.microsoft.com)

---

Deployment checklist for IT administrators (recommended)​

• Inventory and prioritize: identify devices on 22H2 Enterprise/Education and 23H2 that must remain on those branches and devices scheduled for upgrade to 24H2.
• Validate critical workloads: run smoke tests for sign‑in, network file shares (SMB), printing, VPN, and any vendor‑supplied security agents (EDR/AV) against KB5063875 in a pilot ring.
• Confirm firmware and Secure Boot readiness: consult OEM firmware advisories; verify whether devices have already received vendor firmware updates that add the 2023 CA/KEK certificates or whether you must coordinate manual addition of certificates in controlled fleets.
• Snapshot and backup: create system restore points or image backups for critical machines in the pilot; plan rollback only for the LCU portion (SSU will remain).
• Use staged rollout tooling: leverage Windows Update for Business, Intune rings, or WSUS groups to throttle deployment and monitor telemetry for regressions.
• Monitor Release Health and community channels: watch Microsoft’s Windows Release Health dashboard and vendor advisories for emerging problems after deployment.

---

Known issues and community signals​

At the time of publication, Microsoft lists no known issues in the KB article for KB5063875. That statement is important but not a guarantee: history shows that complex cumulative updates can still surface device‑specific regressions after broader deployment. Third‑party and community channels (forums, vendor blogs, and IT news sites) are often the first places to see real‑world reports of regressions such as driver incompatibilities, audio/graphics regressions, or boot anomalies. Administrators should therefore validate the update in representative environments before mass deployment. (support.microsoft.com, borncity.com)
Past examples (for context): community reporting and independent blogs have documented cases where cumulative updates caused performance slowdowns, driver regressions, or functional regressions (for example, a prior August 2024 update produced CPU and performance anomalies on some fleets). Those incidents underline the need for pilot testing and backup plans even when vendors report no known issues. (borncity.com, reddit.com)

---

Troubleshooting guidance (practical steps)​

• If a machine fails to boot after the update:
• Attempt safe mode or use Windows Recovery Environment to uninstall the LCU portion if it’s identifiable and removable via DISM.
• If recovery cannot remove the SSU (remember SSUs are persistent), use offline repair or an image restore from backups in mission‑critical scenarios. Plan for this possibility ahead of large rollouts. (support.microsoft.com)
• If a driver or application becomes unstable:
• Check vendor driver updates first; roll back to vendor‑recommended versions if necessary.
• Use Device Manager to roll back drivers where possible, or uninstall offending drivers and reinstall vendor‑supplied packages.
• For Windows Update installation failures:
• Confirm the servicing stack is healthy (SSU included in the package is intended to help here); run sfc /scannow and DISM health checks (DISM /online /cleanup‑image /restorehealth) as diagnostic first steps.
• If Windows Update shows cryptic errors, examine WindowsUpdate.log and Event Viewer for installation error codes and search Microsoft’s update guidance for targeted remediation.

---

Risk analysis — strengths and potential drawbacks​

Strengths​

• Consolidated package: Bundling the SSU with the LCU reduces a common failure mode where an out‑of‑date servicing stack prevents a cumulative update from installing correctly.
• Security posture: Rolling the latest CVE fixes into one update helps close immediate attack vectors for supported SKUs and aligns with standard enterprise patch practices.
• Clear guidance on Secure Boot: Calling out the Secure Boot certificate lifecycle now gives IT teams time to plan firmware and policy changes ahead of the June 2026 deadline. (support.microsoft.com)

Potential risks and caveats​

• SSU immutability: Because the SSU cannot be removed once applied, a failed servicing stack upgrade can complicate rollback scenarios; this raises the stakes for pilot testing and pre‑deployment backups. (support.microsoft.com)
• Hardware/driver diversity: The enormous variety of OEM firmware and drivers in mixed fleets means rare incompatibilities remain possible despite Microsoft QA.
• Secure Boot coordination: Certificate updates require coordination across firmware vendors and OS deployment chains; incorrectly handled or neglected devices could face availability issues in 2026.
• Perception and user friction: Past updates have produced visible regressions for users; even when Microsoft reports no known issues, patch anxiety can prompt end users to stop updates entirely — an outcome that increases security risk.

---

Practical recommendations (concise)​

• Do pilot tests on representative hardware and software stacks for at least 48–72 hours before broad rollout.
• Inventory firmware: confirm OEM support for Secure Boot CA updates and plan how you’ll inject certificates into air‑gapped or manually managed endpoints.
• Back up images for critical systems; have a tested recovery procedure that accounts for inability to uninstall SSUs.
• Stagger deployment using update rings and monitor telemetry and helpdesk ticketing closely during the first 7–14 days of wide deployment.
• Communicate to users: prepare guidance for end users on symptoms that should be escalated (e.g., boot failures, missing network, major audio/graphics malfunction).

---

Final assessment​

KB5063875 is a routine‑looking — but operationally important — security rollup for older Windows 11 branches that blends a servicing stack refresh with the monthly cumulative security content. Its practical significance is amplified by the repeated emphasis on the Secure Boot certificate replacement program, which creates a longer‑term cross‑team remediation project for many IT organizations. Microsoft’s decision to bundle the SSU and LCU reduces installation fragility, but it also makes rollback more complicated; the update therefore demands standard but disciplined patch management practices: inventory, pilot testing, staged rollout, and robust backups.
For home users, the path is straightforward: allow Windows Update to apply the package, keep backups, and monitor for any strange behavior. For enterprises and organizations with mixed or regulated fleets, treat the Secure Boot advisory as a project with deliverables (firmware testing, certificate distribution plans, and stakeholder coordination) rather than a simple “install the KB” task. The August 12, 2025 KB5063875 release is a reminder that security updates are not just about patches — they are also a vehicle for important operational advisories that can affect availability months down the road. (support.microsoft.com) (bleepingcomputer.com, borncity.com)

---

End of article.

---

Source: Microsoft Support August 12, 2025—KB5063875 (OS Builds 22621.5768 and 22631.5768) - Microsoft Support