KB5063878: August 2025 Windows 11 24H2 Update & Secure Boot Readiness

Microsoft released the August 12, 2025 cumulative security update for Windows 11, version 24H2 — KB5063878 (OS Build 26100.4946) — a combined LCU+SSU package that continues July’s quality fixes, delivers component updates for Copilot+ AI features, and reiterates a critical Windows Secure Boot certificate timeline that every IT team should budget for now.

Background / Overview​

Microsoft’s August cumulative update for Windows 11 version 24H2 is a traditional monthly “quality + security” release: it incorporates fixes shipped in July’s update set, includes a servicing stack update (SSU) to harden the update pipeline, and bundles minor AI-component upgrades targeted to Copilot+ hardware. The package is published as a combined SSU+LCU so that installations are more reliable and admins get the servicing-stack improvements alongside the security content.
Beyond routine vulnerability mitigation, the most consequential item for many organizations remains the Secure Boot certificate lifecycle advisory: Microsoft has flagged that the 2011-era Secure Boot certificates used broadly across Windows devices will begin to expire in June 2026, and administrators must prepare their fleets now to avoid possible secure-boot failures or loss of pre-boot updateability. This advisory is an ongoing program and Microsoft has published dedicated guidance and incremental updates to prepare devices for the certificate transition. (support.microsoft.com)

---

What’s in KB5063878 (quick summary)​

• Release date and target: August 12, 2025 for Windows 11, version 24H2; combined SSU + LCU packaged as OS Build 26100.4946.
• Security and quality: Addresses the security issues listed in Microsoft’s August security update roll-up and carries the fixes from KB5062660 (July 22, 2025).
• Servicing stack: Includes a servicing stack update identified as KB5065381 (build 26100.4933) that improves reliability of the component which installs Windows updates.
• AI components: Updates several AI components — Image Search, Content Extraction, Semantic Analysis, and Settings Model — to version 1.2507.793.0. These component updates apply only to Windows Copilot+ PCs and will not be installed on standard Windows client or server SKUs.
• Known issues: Microsoft reports no known issues for this release at publication.

Each of the above elements matters for a distinct stakeholder group — security teams, systems administrators, OEMs and firmware teams, and owners of Copilot+ devices — and the coordination requirements differ accordingly.

---

Deep dive: Secure Boot certificate expiration — what it means and why it matters​

The timeline and the concrete risk​

• The original Secure Boot certificates issued around 2011 (the KEK and UEFI CA chains) are scheduled to begin expiring in June 2026. When those certificates lapse, devices that have not received the replacement 2023-series certificates may stop receiving security fixes targeted at pre-boot components, and in some cases may no longer be able to boot securely under current Secure Boot policies. This is not theoretical — Microsoft’s rollout and guidance explicitly call out potential loss of updates or trust for boot components if devices are left on expired certificates. (support.microsoft.com, techcommunity.microsoft.com)
• Microsoft published new certificate versions (the 2023 CA family) and is planning a staged rollout so devices can receive the updated trust anchors long before the deadline. The vendor's recommendation is to let Microsoft manage Secure Boot updates via normal Windows Update channels for the majority of PCs; for managed or air-gapped systems, admins will need a coordinated process for applying certificate updates in firmware and OS variables. (support.microsoft.com)

Why this isn’t a simple “install an update” problem​

• Secure Boot’s trust anchors (Platform Key / PK, Key Enrollment Key / KEK, and DB/DBX) live partly in firmware and partly in NVRAM variables that UEFI manages. Applying a new CA can require both a firmware update from the OEM and an OS-level update that writes to the Secure Boot variables in a way the firmware accepts. If a device’s OEM firmware is old or not updated in time, the OS-side certificate updates may not succeed or may leave the device in an undesired state. Microsoft explicitly asks admins to coordinate with OEMs and to apply firmware updates before the certificate transition. (techcommunity.microsoft.com, support.microsoft.com)
• For air-gapped or highly restricted environments (government, industrial OT, regulated appliances), Microsoft cannot push certificates automatically. Such fleets must adopt offline workflows to install the new CA, and those workflows can be complex and device-specific. Microsoft has published guidance for these edge cases, but they require manual effort and testing. (support.microsoft.com, techcommunity.microsoft.com)

Short, pragmatic action checklist for IT teams​

• Inventory: Identify all devices (physical and virtual) that have Secure Boot enabled and record firmware versions and OEM support status.
• Firmware readiness: Contact OEMs and confirm which models have firmware updates required to accept the new 2023 CAs. Prioritize those devices for firmware updates.
• Allow Microsoft-managed updates where feasible: For the majority of consumer and enterprise devices, set the registry opt-in or use MDM/Group Policy to allow Microsoft to manage Secure Boot updates. Microsoft recommends setting the registry key MicrosoftUpdateManagedOptIn = 0x5944 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot to allow managed updates. (techcommunity.microsoft.com, support.microsoft.com)
• Test: Stage the certificate rollout in a lab and measure success on key device families, including dual-boot, VMs, and any devices running specialized boot firmware.
• Script and monitor: Build reporting to surface Secure Boot state (msinfo32 output or PowerShell query) and to detect devices that remain on legacy certificates.
• Plan for exceptions: Design an air-gap and offline update process for equipment that cannot accept Microsoft-managed updates. (support.microsoft.com, techcommunity.microsoft.com)

---

Servicing Stack Update (SSU) — why KB5065381 matters​

Servicing stack updates are the unsung infrastructure pieces that install other updates reliably; KB5065381 (reported as the SSU integrated into the August package) brings internal fixes to Windows’ update engine that reduce the risk of failed or stuck installs. Combining an SSU with the LCU reduces the number of separate steps admins must take and generally lowers the likelihood of update failures caused by an out-of-date servicing stack.
Why this is operationally important:

• Some failed installs in the field are caused not by the patch content but by a stale or inconsistent servicing stack. The combined SSU+LCU approach eliminates a common class of install errors and is Microsoft’s recommended best practice for enterprise deployment. (support.microsoft.com)

Operational recommendation: Ensure WSUS and patching tooling are configured to distribute combined packages; if you use manual MSU installs, apply SSUs and LCUs in the specific order Microsoft documents or use DISM with a folder that contains all packages so dependencies are resolved automatically.

---

AI components and Copilot+ PCs — what changed​

This update includes AI component updates for modules labeled Image Search, Content Extraction, Semantic Analysis, and Settings Model moving to version 1.2507.793.0. These updates are architected as modular components and are only applicable to devices in the Windows Copilot+ hardware category; non-Copilot devices and Windows Server SKUs will not receive or install these components.
What administrators and enthusiasts should note:

• If you manage a fleet that includes Copilot+ devices, validate Copilot-specific features after the update (for example, settings search and Copilot-related UIs). WindowsCentral and other outlets have noted Copilot+ exclusives landing alongside security updates in recent months; this is part of Microsoft’s hardware-plus-software differentiation strategy for 2025. (windowscentral.com)
• For standard devices, these component nodes are inert — they won’t install and shouldn’t introduce incompatibilities to non-Copilot endpoints.

---

Installation options and sysadmin guidance​

Microsoft supports multiple deployment channels for KB5063878: Windows Update, Windows Update for Business, WSUS, and the Microsoft Update Catalog as standalone MSU packages. The KB includes guidance for both in-place PCs and offline image servicing plus a recommended DISM workflow for administrators who prefer scripted offline deployments.
Practical installation recipes:

• Automatic (consumer / managed via Windows Update): Let Windows Update handle it; the combined package will download and install per configured policies.
• Manual (single machine): Download the MSU from Microsoft Update Catalog and run wusa.exe or use the Windows Update Standalone Installer. For a combined SSU+LCU package, wusa /uninstall won’t remove the SSU — Microsoft notes the SSU cannot be removed once applied.
• Offline / imaging (DISM): Place all MSU files in a single folder and use DISM to add packages. Example command for an online install from an elevated prompt:
• DISM /Online /Add-Package /PackagePath:c:\packages\Windows11.0-KB5063878-x64.msu
  Or use PowerShell:
• Add-WindowsPackage -Online -PackagePath "c:\packages\Windows11.0-KB5063878-x64.msu"
  These tools will auto-discover and apply prerequisites from the folder.

If you need to remove the LCU later, Microsoft documents how to find and remove the LCU package with DISM /online /get-packages and DISM /online /Remove-Package /PackageName:<LCU_PACKAGE_NAME>. Note that uninstalling the combined package via wusa will not work for removing SSU.

---

Risk assessment — what could go wrong​

• Firmware dependency: The Secure Boot CA rollout can be blocked or fail on devices with outdated or missing OEM firmware updates. In practice, OEM firmware is the gating factor; if you skip firmware updates you may block Microsoft’s OS-side CA updates. Microsoft repeatedly emphasizes OEM coordination. (techcommunity.microsoft.com, support.microsoft.com)
• Air-gapped and regulated systems: These environments will require bespoke, tested processes for writing new Secure Boot variables. Mistakes can render a device unbootable under Secure Boot; plan test/restoration procedures carefully. (support.microsoft.com)
• Update fatigue and human error: The large number of monthly changes combined with the Secure Boot deadline increases the chance of misconfiguration. For example, toggling Secure Boot off and back on can reset variables and undo certificate updates — Microsoft warns that toggling Secure Boot off may erase updates to the DB/KEK. That makes staged, recorded procedures essential. (support.microsoft.com)
• Edge cases: Dual-boot systems, custom bootloaders, Linux boot managers, and some virtualization setups may need additional testing; Windows-managed updates may update certificates that third-party OSes or custom bootloaders rely on, which can introduce complications in multi-OS environments. Microsoft’s guidance covers the typical scenarios, but edge cases remain the domain of careful lab testing. (support.microsoft.com)

---

Cross-checks and corroboration​

• Microsoft’s Secure Boot certificate advisory is primary: the company’s official guidance (Secure Boot certificate expiration and CA updates) lays out the expiration schedule and recommended mitigations, and is the authoritative source for this program. (support.microsoft.com)
• Microsoft’s Windows IT Pro blog provides an expanded operational narrative and reiterates the June 2026 deadline, the two-stage replacement of the UEFI CA (separating boot loader signing and option ROM signing), and actionable guidance such as the recommended registry opt-in for Microsoft-managed updates. This is a second, independent Microsoft channel that confirms the timeline and action steps. (techcommunity.microsoft.com)
• Industry reporting and briefings (consumer/press) document feature rollouts and component updates in August’s patch cycle — for example, WindowsCentral summarized the August feature set and Copilot+ device behavior changes that accompany the cumulative update. These independent write-ups help contextualize the update’s feature-surface for readers and corroborate Microsoft’s statements on Copilot+ exclusives. (windowscentral.com)

Where claims were not independently verifiable from public documentation — for instance, specific OEM firmware delivery schedules for certain legacy product lines — this article flags those as environment-specific and dependent on OEM channels. Organizations should confirm firmware availability with the OEMs that supply their hardware.

---

Recommended rollout plan (practical, step-by-step)​

• Immediate (this week)
• Confirm KB5063878 is visible in your patch management console and that the SSU is included. Record any test devices you will use for validation.
• Begin inventory of all devices with Secure Boot enabled (physical and virtual), extracting Secure Boot State from System Information (msinfo32) and exporting results to your asset database. (support.microsoft.com)
• Short-term (2–6 weeks)
• Coordinate with OEMs to get firmware update schedules for your device families. Prioritize servers, critical endpoints, and systems that are historically harder to update (medical devices, OT controllers). (techcommunity.microsoft.com)
• Create a staged test plan: one device per OEM model + one VM type + one dual-boot machine + one air-gapped device. Apply the combined update, validate boot, Secure Boot variables, and critical apps. (support.microsoft.com)
• Medium-term (6–20 weeks)
• Deploy firmware updates on prioritized devices. Apply KB5063878 (or subsequent cumulative updates that carry the certificate updates) to pilot groups. Monitor the Secure Boot state and Windows Update status. (support.microsoft.com)
• Long-term (by Q2 2026)
• Ensure remaining devices either have the updated certificates in KEK/DB or are scheduled for replacement/retirement. Maintain an exception register for devices that cannot be updated and plan compensating controls. (techcommunity.microsoft.com)

---

What home users and small businesses should do​

• For most home users and small businesses that rely on OEM-managed Windows Update, little immediate action is required other than keeping devices updated and applying firmware updates offered by the manufacturer. Microsoft is rolling the 2023 CAs to consumer devices via Windows Update in a staged manner; most consumers who perform routine updates should be covered. (support.microsoft.com)
• If your device is in a specialized environment (custom boot, dual-boot with Linux, or an older OEM model), consult manufacturer support and perform a targeted test prior to June 2026. If you manage a handful of computers, test a single device for the certificate update before applying to the entire set. (support.microsoft.com)

---

Final analysis — strengths, gaps, and risks​

Strengths

• Microsoft’s combined SSU+LCU model reduces install complexity and addresses a common root cause of update failures. The August package continues that pattern. (support.microsoft.com)
• Early, public notice of the Secure Boot CA lifecycle gives organizations lead time to plan, which is far preferable to a last-minute scramble. The company’s multi-channel guidance (support articles, IT-pro blog, and targeted OOB updates) is consistent and actionable. (support.microsoft.com, techcommunity.microsoft.com)
• Copilot+ component updates are modular and targeted, minimizing risk to non-Copilot endpoints. (windowscentral.com)

Gaps & risks

• OEM firmware readiness remains the single biggest unknown. Microsoft can publish OS-level guidance, but devices with stale firmware or unsupported OEM update paths may be unable to accept the new CA chain. That dependency is structural and requires OEM coordination. (techcommunity.microsoft.com)
• Small orgs and air-gapped fleets face an outsized burden to implement offline update processes; Microsoft’s guidance helps, but the operational overhead is still real. (support.microsoft.com)
• While Microsoft lists no known issues for KB5063878 at publication, the Windows update ecosystem historically produces edge-case regressions. Staged rollouts and test validation remain mandatory.

Cautionary note: any claim about OEM firmware schedules or device-specific rollout completeness that cannot be independently confirmed from Microsoft or the OEM should be treated as environment-specific and validated locally. Public reporting can confirm the program and timeline, but per-device readiness must be checked against OEM channels.

---

Conclusion​

KB5063878 is a routine-appearing August cumulative update that carries the familiar mix of security patches, servicing stack improvements, and targeted component updates. What elevates its operational priority is the continued emphasis — now repeatedly restated by Microsoft — that Secure Boot certificates issued in 2011 will begin expiring in June 2026 and that IT teams must prepare. The practical implication is not merely to patch Windows, but to coordinate firmware, update policies, and operational processes across device fleets and OEM relationships.
For administrators: treat the Secure Boot certificate transition like a multi-quarter program — take inventory now, test early, coordinate firmware updates, and use Microsoft-managed updates wherever possible. For home users: keep systems updated and apply OEM firmware when it appears. For everyone: stage, test, and measure success — an ounce of preparation will prevent a very disruptive and avoidable outage come June 2026. (support.microsoft.com, techcommunity.microsoft.com, windowscentral.com)

---

Source: Microsoft - Message Center August 12, 2025—KB5063878 (OS Build 26100.4946) - Microsoft Support