KB5074110 Setup Dynamic Update: Windows 11 24H2 25H2 and Server 2025

Microsoft’s KB5074110, published January 29, 2026, is a targeted Setup Dynamic Update for Windows 11 (versions 24H2 and 25H2) and Windows Server 2025 that refreshes the tiny but critical Setup runtime and related binaries — and it arrives at a delicate moment for IT teams because it also touches Secure Boot components and follows a disruptive January patch cycle that produced real-world boot and connectivity problems. (support.microsoft.com)

Background / Overview​

Dynamic updates — the family that includes Setup Dynamic Updates and Safe OS (WinRE) Dynamic Updates — are deliberately narrow, surgical packages Microsoft uses to refresh the minimal set of files Windows Setup and the recovery environment rely on during feature upgrades, resets, and offline recovery. Unlike LCUs (Latest Cumulative Updates), these packages don’t aim to add features or broadly re allation and recovery flows stay compatible with evolving drivers, firmware and cumulative servicing. Administrators and imaging teams treat these updates as part of image hygiene and media-refresh workflows because they let you update frozen install.wim or winre.wim images without rebuilding entire ISOs.
KB5074110 follows that pattern: it refreshes Setup binaries used during feature updates and sets or replaces specific setup-related files (for example Appraiser.dll and MediaSetupUIMgr resources), while also performing a Boot Manager change on devices that already include Microsoft’s UEFI CA 2023 certificate. The package replaces the earlier KB5068516 update. Microsoft’s public KB page lists the updated file versions and timestamps for easy verification. (support.microsoft.com)

---

What KB5074110 actually changes​

Core summary (what the KB says)​

• Scope: Windows 11 version 24H2, Windows 11 version 25H2 (all editions), and Windows Server 2025. (support.microsoft.com)
• Primary purpose: Refresh Setup binaries and other files that Windows Setup uses during feature updates and media-based installs. The goal is improved compatibility and fewer upgrade or recovery-time failures. (support.microsoft.com)
• Secure Boot change: On devices that already have the Windows UEFI CA 2023 certificate present in their Secure Boot Signature Database (DB), KB5074110 will replace the older 2011-signed bootmgfw.efi with a 2023-signed boot manager binary. Microsoft explicitly warns that resetting the DB or toggling Secure Boot could trigger a Secure Boot violation, and recommends creating Secure Boot recovery media as a contingency. (support.microsoft.com)
• Delivery: Distributed via Windows Update, Microsoft Update Catalog (standalone CABs for image injection), and WSUS. No host restart is required after applying the update. (support.microsoft.com)
• Replacement: This update replaces **KB50685s fixes under KB5074110. (support.microsoft.com)

Notable updated files (selected)​

Microsoft lists file-level details in the KB manifest — useful for verification when you inject or inspect images. Representative entries include:

• Appraiser.dll — version 10.0.26100.7697 (date: 17-Jan-26)
• AcRes.dll and many MediaSetupUIMgr and SetupPlatform resource files — also populated with early‑January 2026 date stamps.
  These precise versions let admins validate that an image or WinRE instance received t(support.microsoft.com)

---

Why this matters: practical implications for admins and imaging teams​

Dynamic updates touch the exact code paths that run when an installation, reset, or recovery operation occurs. A stale Setup runtime or WinRE image can produce a wide variety of problems — from misclassification of upgrade compatibility (blocking valid upgrades) to outright failure of cloud reinstall, Reset this PC, or Automatic Repair flows on modern hardware.

• Image parity: If deployment images (install.wim or winre.wim) lack the latest Setup or WinRE files, a device may fail during upgrade or recovery even though the host OS itself is patched. Keeping WinRE in sync with the running build reduces surprises when recovery runs.
• Boot and Secure Boot risks: Because KB5074110 writes a new bootmgfw.efi when a UEFI CA 2023 cert is present, any administrator workflow that resets Secure Boot variables, clears the DB, or toggles Secure Boot on devices could unexpectedly trip Secure Boot failures. The KB’s explicit guidance to prepare Secure Boot recovery media reflects the operational risk. (support.microsoft.com)
• Non-removability in images: Safe OS / WinRE dynamic updates are image-applied and often cannot be “uninstalled” from a WIM once injected; rollback typically requires restoring a previous golden image or rebuilding the image. That permanence increases both the value and the operational cost of mistakes.

---

The risk context: January 2026 patching pain​

January’s Patch Tuesday introduced several cumulative updates (for example KB5074109 for Windows 11 24H2/25H2) that have been associated with real-world regressions — including boot failures with an “UNMOUNTABLE_BOOT_VOLUME” symptom, device restarts instead of shutdown on a narrow set of systems, Remote Desktop authentication failures, and driver removals (notably a set of legacy modem drivers removed intentionally). Microsoft acknowledged multiple issues and shipped out‑of‑band corrections for at least some of the regressions. Independent reporting documented user impact and advised caution for wide deployment while fixes rolled out.
That context matters because KB5074110 interacts with the same setup and boot chains that caused or amplified the Jn a patch cycle produces boot regressions, the setup/runtime and the WinRE payloads are exactly the artifacts you want to ensure are correct — but they also are the artifacts that, if incorrectly integrated into images or applied in an environment that requires a legacy boot configuration, can make recovery harder. Windows-focused outlets reported Microsoft’s investigations and workarounds in real time; those same advisories underscore the need for careful testing before broad image refreshes or forced rollouts.

---

Recommended actions — a practical playbook for IT teams​

Below is an operational checklist you can use to adopt KB5074110 safely, prioritized from immediate triage to full deployment.

• Inventory & risk triage
• Identify devices with custom Secure Boot configurations, non-standard UEFI DB contents, or systems that rely on legacy boot flows. Those are the highest-risk targets for the bootmgfw.efi change. Flag them for manual validation before KB deployment. (support.microsoft.com)
• Identify systems that still rely on legacy modem drivers or other hardware-sensitive drivers removed in January cumulative updates; those devices may already be fragile following January servicing.
• Obtain packages for lab testing
• Download the KB5074110 standalone CAB from the Microsoft Update Catalog so you can inject the update into test images or apply it offline. The KB explicitly points admins to the Update Catalog for standalone packages. (support.microsoft.com)
• Build a controlled test matrix
• Pick representative hardware across vendors and firmware versions, include any devices that use Secure Boot DB customizations, systems with BitLocker+TPM combos, and any devices that previously experienced regressions in January.
• Test scenarios to run: feature upgrade (in-place), Reset this PC (local and cloud), Automatic Repair, and BitLocker unlock flows inside WinRE.
• Inject and verify WinRE / Setup changes
• For WinRE verification, use Microsoft’s verification scripts and DISM inspection to confirm the WinRE image shows expected file versions after applying the Safe OS DU. Although the KB pages vary, Microsoft has published helper tooling (e.g., GetWinReVersion.ps1) and DISM commands in companion DUs — use them.
• On a test station, verify that the boot manager is updated only on devices containing the UEFI CA 2023 certificate, and confirm that toggling Secure Boot on/off triggers the behavior documented by Microsoft (and that the recovery media you plan to use works). (support.microsoft.com)
• Build Secure Boot recovery media now
• Microsoft’s KB explicitly recommends creating Secure Boot recovery media to address possible “Secure Boot violation” scenarios that arise after DB resets or toggles. Make this a standard step in your pilot. (support.microsoft.com)
• Pilot and stagen a small, controlled production ring for 7–14 days, monitor helpdesk tickets and telemetry, then expand rollout if no regressions appear.
• Consider delaying broad auto-deploy via Windows Update for high-risk device groups and instead publish the CAB in your update catalog or deploy via Configuration Manager so you control sequencing.
• If you see serious regressions: fallback plan
• Because WinRE updates are image-applied and often non-removable, the primary rollback tactic is to redeploy an earlier golden image (or restore a backup). Keep validated pre-update gold images readily available.

---

How to verify and validate the installation (concrete steps)​

Perform these checks in lab before any broad rollout.

• Confirm package presence:
• Use the Microsoft Update Catalog to download the KB5074110 CAB for offline injection and add it to your WSUS or SCCM content library. The KB itself calls out the Catalog as the standalone source. (support.microsoft.com)
• Inspect WinRE / Setup versions:
• Run DISM to inspect an offline WIM (example):
• Mount the WIM: DISM /Mount-Wim /WimFile:C:\images\install.wim /index:1 /MountDir:C:\wimmount
• Query files: DISM /Image:C:\wimmount /Get-FileInfo /FilePath:\Windows\System32\Appraiser.dll (or inspect file version attributes)
• Unmount: DISM /Unmountount /Commit
• Verify on-device WinRE using reagentc /info and Microsoft’s verification scripts (Microsoft published GetWinReVersion.ps1 with other Safe OS DUs — run similar checks to ensure expected WinRE target versions match the KB manifest). Note: exact script names and location vary by KB; refer to the Microsoft KB for the companion DU if you need the specific script.
• Test real recovery flows:
• Run Reset this PC (local and cloud), Automatic Repair, and BitLocker recovery to ensure devices can boot into WinRE and resume operations.
• Confirm input devices (USB keyboard/mouse) and storage drivers work inside WinRE on all test hardware families.

---

Rollout strategies and gating (recommended)​

• Use a phased approach:
• Phase 0 — lab validation and pilot (10–50 devices across different hardware families)
• Phase 1 — limited production ring for critical classes (e.g., imaging/build seges)
• Phase 2 — broader production rollouts via managed channels (SCCM/Update Rings)
• Use WSUS/SCCM to control when devices receive the CAB rather than relying on immediate Windows Update auto-deploy for groups you consider sensitive. The KB notes WSUS sync behavior and classification mapping for Windows Server 2025 and Windows 11. (support.microsoft.com)
• Delay applying the update to devices that already reported January regressions until you confirm the combination of LCU + KB5074110 does not create regressions in your environment.

---

Troubleshooting highlights and limitations​

• Non-removable image changes: In many cases Safe OS dynamic updates that are applied into a WIM are not removable from that image; rollback is a restore of earlier gold images or re-creation. Plan golden image backups accordingly.
• Secure Boot DB surprises: If your environment includes custom DB entries or uses partner CA certs, be careful. Resetting the DB or toggling Secure Boot can provoke a secure-boot violation after the boot manager is replaced; the KB’s recommended recovery media creation is not optional for organizations that change Secure Boot variables routinely. (support.microsoft.com)
• Real-world regressions occurred in January 2026: independent reporting described unbootable systems and other regressions after January cumulative updates; while those incidents were not necessarily caused by KB5074110 itself, they demonstrate fragility in the update chain and make a conservative rollout plan prudent.

---

Strengths and benefits of KB5074110​

• Targeted fix set: Dynamic updates like KB5074110 are small, easy-to-distribute packages focused on improving reliability of setup and recovery — a low-friction way to keep images and installer toolchains current without full OS rebuilds.
• Explicit verifiability: Microsoft publishes file manifests and expected versions (Appraiser.dll and other files), enabling admins to verify the update in images and on devices before trusting them in production. (support.microsoft.com)
• Necessary for modern hardware: As firmware and drivers evolve, WinRE and Setup must be refreshed to ensure consistent recovery behavior on new hardware families. These updates reduce the chance of failures during the most critical recovery moments.

---

Risks, unknowns, and where to be cautious​

• Secure Boot interactions: The KB’s Boot Manager replacement and the broader Secure Boot certificate timeline (Microsoft warns certificates begin expiring in June 2026) create a narrow but high-impact failure mode. If administrators are not careful with Secure Boot DB operations, devices can fail to boot securely — and remediation requires prepared recovery media. (support.microsoft.com)
• January regression backdrop: The January 2026 cumulative updates produced boot and connectivity regressions for some users. Although KB5074110 is a dynamic setup update and not an LCU, it operates in the same overall servicing ecosystem; that ecosystem’s complexity means interactions sometimes create surprises. Independent outlets documented MSFT’s acknowledgement and corrective releases in mid-January, reinforcing the need for cautious deployment.
• Image permanence: Because certain Safe OS changes become embedded in WIMs, an unintended change can be hard to roll back at scale, increasing the cost of mistakes to operational teams.

---

Final verdict — how to treat KB5074110 in your patching lifecycle​

KB5074110 is routine but important. It provides necessary updates to the Setup runtime and, in specific cases, the Boot Manager — which is why it requires respect and careful handling rather than reflexive blanket deployment. For imaging teams and enterprise IT:

• Treat KB5074110 as mandatory image-hygiene, but test aggressively first.
• Build and verify Secure Boot recovery media before you touch devices that have non-default UEFI DBs. The KB explicitly recommends this. (support.microsoft.com)
• Use Update Catalog CABs and controlled WSUS/SCCM deployment to stage the change rather than allowing immediate Windows Update auto-deploy to all endpoints. (support.microsoft.com)

If you follow a measured rollout plan — inventory, lab testing, pilot, staged expansion, and careful monitoring — KB5074110 will likely improve upgrade and recovery reliability without causing disruption. If you skip the verification steps or roll it out blindly across firmware-diverse fleets, you risk encountering the exact boot and recovery edge cases Microsoft warns about.

---

KB5074110 is available now through Windows Update, WSUS and the Microsoft Update Catalog; Microsoft’s KB page contains the full file manifest and the Secure Boot guidance that administrators must read before deployment. (support.microsoft.com)
Conservative testing and image hygiene remain the single best defenses against the kinds of update-time regressions the industry saw in January 2026: verify the file versions, validate recovery flows on representative hardware, prepare Secure Boot recovery media, and keep pre-update golden images handy for rollback.

---

Source: Microsoft Support KB5074110: Setup Dynamic Update for Windows 11, version 24H2 and 25H2, and Windows Server 2025: January 29, 2026 - Microsoft Support