Microsoft’s August cumulative update for Windows 11, version 24H2 — KB5063878 (OS Build 26100.4946) — ships as a combined Servicing Stack Update (SSU) plus Latest Cumulative Update (LCU), bringing routine security and quality fixes while renewing attention on an industry-wide operational deadline: several Secure Boot certificates issued in 2011 begin to expire in mid‑2026 and must be addressed to avoid pre‑boot update and boot‑time trust issues. rview
Microsoft continues the monthly cumulative update cadence with a combined SSU+LCU package for Windows 11, version 24H2. The August 12, 2025 release is identified as KB5063878 and updates systems to OS Build 26100.4946; the package intentionally bundles the servicing stack update (SSU) with the cumulative fixes to reduce installation failures and simplify deployment across consumer and enterprise environments.
Bundled packages litandard practice: when SSU and LCU are combined, the servicing stack improvements that handle update installation are applied alongside OS fixes, minimizing the chance that an out‑of‑date SSU will block the LCU. Microsoft documents the SSU as effectively non‑removable once installed, which has implications for rollback planning.
At a glance, KB5063878 contains:
Actionable priorities for IT teams:
KB5063878 is available through the usual distribution channels now; apply disciplined testing, confirm firmware readiness, and treat the Secure Boot certificate timeline as the real multi‑quarter risk to manage — not the monthly KB alone.
Source: Microsoft Support August 12, 2025—KB5063878 (OS Build 26100.4946) - Microsoft Support
Microsoft continues the monthly cumulative update cadence with a combined SSU+LCU package for Windows 11, version 24H2. The August 12, 2025 release is identified as KB5063878 and updates systems to OS Build 26100.4946; the package intentionally bundles the servicing stack update (SSU) with the cumulative fixes to reduce installation failures and simplify deployment across consumer and enterprise environments.
Bundled packages litandard practice: when SSU and LCU are combined, the servicing stack improvements that handle update installation are applied alongside OS fixes, minimizing the chance that an out‑of‑date SSU will block the LCU. Microsoft documents the SSU as effectively non‑removable once installed, which has implications for rollback planning.
At a glance, KB5063878 contains:
- Securimprovements rolled forward from earlier releases.
- A bundled SSU (reported as KB5065381, build 26100.4933 in the combined package).
- Targeted AI/component updates intended for Windows Copilot+ devices (not applicable to all Windows 11 installations).
- An explicit, high‑priority advisory and preparatory guidance for the Secure Boot certificate rollover that begins in June 2026.
Security and qualityhe release is the monthly security and quality work. Microsoft’s KB lists fixes in broad categories — authentication, reliability, and vulnerability mitigations — and points administrators to the Security Update Guide for CVE‑level mapping. One functional, user‑facing fix highlighted in the KB addresses a sign‑in delay on new devices caused by certain preinstalled packages; this is a targeted reliability improvement with direct impact for device provisioning and first‑sign‑in experiences.
Security teams and patch managers who need CVE‑level detail should map the monthly entries to their asset inventory; the KB itself is a package manifest and high‑level explanation rather than a CVE catalogue.Servicing Stack Update (SSU) details
The combined package includes the servicing stack update *KB5.4933). SSUs are small but critical — they update the component that applies OS updates and help prevent a range ofinstallation and servicing errors*. Because the combined package installs SSU and LCU together, administrators avoid the manual sequencing usually required when SSU and LCU are separate. Note that SSUs cannot be uninstalled independently; administrators should plan for this when validating rollback and recovery options.Copilot+ AI component updates (conditional)
KB5063878 bundles specific AI component binaries — Image Search, Content Extysis, and Settings Model — to version 1.2507.793.0. These binaries are distributed with the cumulative update but will only install on eligible Copilot+ PCs (devices that meet certain hardware, firmware, and licensing criteria). Standard Windows 11 and Windows Server SKUs will not receive these component payloads. Administrators should therefore not interpret missing AI binaries on non‑Copilot devices as an update failure.The Secure Boot certificate rollover — why this matters now
What’s changing, and when
Microsoft has been explicit: certificates creatnderpin UEFI Secure Boot trust chains are set to begin expiring in June 2026, with an additional expiration window in October 2026 for other certificate components. The practical effect is that devices which retain legacy 2011 CA certificates and do not receive the replacement 2023 CA family may stop accepting legitimately signed pre‑boot updates or could, in some edge cases, fail to boot securely under current Secure Boot policies. Microsoft is rolling the updated certificates (the 2023 CA family) via Windows Update in a staged manner for consumer devices, and offers guidance for managed or air‑gapped systems that require manual action.The technical surface: firmware, NVRAM, and OS coordination
Secure Boot trust anchors are not purely an OS artifact. The Platform Key (PK), Key Exchange Key (KEK),ses (DB/DBX) are stored in firmware and in NVRAM UEFI variables. Replacing certificates therefore requires coordination between firmware updates (OEMs) and OS‑delivered updates that write or update UEFI variables. If firmware does not permit the required variable changes, or if OEMs do not publish compatible firmware, the OS‑level certificate push cannot complete successfully. This dependency on OEM firmware readiness is the single largest operational unknown in the program.Practical consequences of inaction
If devices remain on expired certificates:- They may stop receiving pre‑boot security fixes.
- They could stop trusting new, legitimately signed boorst‑case scenarios, misconfigured or unprepared devices could experience boot‑time failures or be unable to apply crucial pre‑boot patches.
Deployment guidance: a practical action plan
The KB comes with guidance for different audiences. Below are concise, prioritized steps for each constituency based on Microsoft guidance and operational br home users and small businesses- Keep Windows Update enabled and allow automatic updates where practical.
- Apply the August 12, 2025 update when offered; Windows Update should handle the combined SSU+LCU automatically.
- Apply OEM firmware (UEFI) updates as they become available.
- For devices with nonstandard firmware (older models, custom images), perform one test update and confirm normal boot and Secure Boot behavior before updating many devices.
For enterprise IT administrators
- Inventory: identify machines with Secure Boot enabled and capture OEM, firmware, and BIOS versions.
- Pilot: stage KB5063878 in a representative pilot ring that mirrors firmware, drivers, anps.
- Coordinate OEM firmware updates: confirm availability of UEFI firmware that supports the 2023 CA changes and schedule firmware updates ahead of certificate updates.
- WSUS/SCCM: ensure Products = Windows 11 and Classifications = Security Updates for automatic sync; test the combined package in offline scenarios.
- Offline/air‑gapped fleets: adopt DISM / Add‑WindowsPackage workflows and prepare a documented, repeatable offline method to update KEK/DB variables where necessary.
- Maintain a rollback and recovery plan (system images, restore points) because SSUs cannot be uninstalled independently.
For OEMs and firmware teams
- Publish and test UEFI firmware updates that allow Secure Boot variable changes.
- Coordinate with Microsoft and test OS + firmware scenarios to ensure that the OS‑side certificate push succeeds across firmware revisionilability clearly to customers and enterprise partners so administrators can plan coordinated rollouts.
Installation methods and practical commands
Microsoft documents multiple installation methods for KB5063878 to support both managed and standalone deployments:- Windows Update and Windows Update for Business (automatic).
- WSUS synchronization for managed environmate Catalog MSU files for manual/offline installs.
- DISM / Add‑WindowsPackage or Add‑WindowsPackage for offline image servicing and image‑based deployments.
Known issues, risks, and caveats
No known issues at publication — but test anyway
Microsoft reports it is “not currently aware of any issues” at the time of publication for KB5063878. That positive status does not eliminate the need for staged testing: historical experience shows s with OEM firmware, drivers, and specialty software can reveal edge cases only after broader rollout. Administrators should still follow change control and pilot validation processes.The OEM firmware readiness risk
The most material operational risk is OEM firmware lag. If OEMs do not publish firmware that supports the 2023 CA certificate writes or does not enable the necessary UEFI variable changes, affected devices may remain stuck on expired certificates in mid‑2026. This is an ecosystemrdination and a multi‑quarter remediation program for large fleets. Flag devices that cannot be updated and apply compensating controls (segmentation, increased monitoring, restricted access).Dual‑boot and Linux users
Systems using Microsoft‑signed shims (common in many Linux distributions) may see boot‑path changes if firmware does not accept the new certificates. Dual‑boot administrators must validate workflows on representative hardware and have distribution‑specific mitigations ready.Telemetry and governance cinto Microsoft‑managed Secure Boot updates for certain enterprise scenarios may interact with diagnostic data and telemetry choices; compliance leads should reconcile this with internal privacy and regulatory policies before enabling automated flows for sensitive or regulated fleets.
Recommended tipractical)
- Within 48–72 hours: Install KB5063878 in a controlled test ring and validate sign‑in, boot, and core application behavior.
- Within 2–4 weeks: Expand to pilot rings; start OEM firmware coordination for devices identified as requiring firmware updates for Secure Boot readiness.
- By Q1–Q2 2026: Ensure critical and high‑vaed certificates (or are scheduled for replacement) well before the June 2026 expiration window.
- By June 2026: Target completion of the initial KEK/DB replacements for as many devices as possible; keep an exception register for devices that cannot be updated and apply compensating controls.
- By October 2026: Ensure second expiration window items (such as Windows Production PCA shifts) are addressed per Microsoft guidance.
Critical analysis — strengths, remaining gaps, and risk posture
Strengths
- The combined SSU+LCU model reduces a common class of update failures and simplifies deployment for administrators, which is especially helpful in large, heterogeneous estates.
- Microsoft’s repeated, public timetable for the Secure Boot certificate transition gives organizations valuable lead time to plan and coorer than scrambling at the last minute.
- Targeted AI component updates are modular and limited to Copilot+ hardware, lowering the chance of broad regressions on non‑NPU devices.
Gaps and risks
- OEM firmware readiness remains the largest unresolved dependency; updates, but firmware that does not permit variable changes or does not accept the 2023 CA family will impede completion. Organizations must therefore treat firmware coordination as a first‑class actation program.
- Air‑gapped and highly regulated environments face significant operational overhead to implement manual certificate updatese helps, but organizations must still invest in repeatable offline processes.
- While no known issues are reported at publication, the Windows update ecosystem historically produces edge cases; the combination of SSU immutability and diverse firmware states argues for conservative, staged rollouts.
Unverifiable or environment‑specific clut per‑device OEM rollout dates, or whether a given model will be updated by a specific OEM by a given date, must be treated as environment‑specific and validated directly with the OEM. The KB and Microsoft guidance provide d timeline, but per‑device readiness depends on OEM actions and on local change control. This caveat is critical for risk assessments and scheduling.
Final takeaway and practical next steps
KB5063878 (OS Build 26 monthly cumulative update packaged responsibly as an SSU+LCU to minimize servicing failures and deliver security, reliability, and conditional AI component improvements. What elevates the August 12, 2025 release beyond routine is Microsoft’s reiterated warning and guidance around the Secure Boot certificate rollover that begins in June 2026 — an ecosystem‑level change that requires coordinated OS, firmware, and operational action to avoid boot trust oblems.Actionable priorities for IT teams:
- Test KB5063878 quickly, validate boot and application behavior, and expand to pilot rings only after confirmation.
- Inventory Secure Boot‑enabled devices, capture OEM and firmware versions, and coordinate firmware updates with vendors.
- Prepare offline workflows and exception registers for devices that cannot be updated.
- Treat the certificate rollover as a multi‑quarter program: start now, coordinate broadly, and validate completion well ahead of June 2026.
KB5063878 is available through the usual distribution channels now; apply disciplined testing, confirm firmware readiness, and treat the Secure Boot certificate timeline as the real multi‑quarter risk to manage — not the monthly KB alone.
Source: Microsoft Support August 12, 2025—KB5063878 (OS Build 26100.4946) - Microsoft Support