KB5078885 ESU Update Adds Secure Boot 2023 and GPU Stability Fix in Windows 10

Microsoft released the March 10, 2026 cumulative update for Windows 10 (KB5078885), and it’s targeted at devices enrolled in the Extended Security Updates (ESU) program. The patch advances eligible systems to Windows 10 Build 19045.7058, includes a servicing stack update that prepares devices for the new Secure Boot 2023 boot manager signature, and explicitly lists a quality fix described as a stability issue affecting certain GPU configurations. For administrators and power users who prefer offline servicing, Microsoft has made the standalone .msu packages available through the Microsoft Update Catalog, while most consumer devices will receive the update automatically through Windows Update if they are eligible under ESU.

Background​

Windows 10 reached its mainstream end-of-support window in late 2025, and Microsoft made Extended Security Updates available as a one‑year bridge to October 13, 2026 for eligible consumer and small-business devices. That ESU program is the gating requirement for receiving monthly security and quality fixes after the platform’s general support cutoff; if your Windows 10 PC is not enrolled in ESU, you will not receive KB5078885 via Windows Update.
This March cumulative is part of Microsoft’s regular Patch Tuesday cycle and continues a pattern we’ve seen over the last year: monthly LCUs (latest cumulative updates) combined with servicing stack updates (SSUs) that enable higher‑risk changes to boot components and certificate stores. KB5078885 is noteworthy because it touches two system-critical areas: graphics stability and the platform’s Secure Boot certificate chain.

---

What’s in KB5078885 (Build 19045.7058)​

Release basics​

• Release date: March 10, 2026.
• Applies to: Windows 10 versions 21H2 and 22H2 on devices enrolled in ESU (consumer ESU and supported enterprise channels as applicable).
• New OS Build: 19045.7058 (and 19044.7058 for specific SKUs).
• Delivery: Windows Update (automatic for eligible devices), Microsoft Update Catalog (.msu) for offline/managed deployments, WSUS and Windows Update for Business per policy.

Key improvements called out by Microsoft​

• Graphics: “Improved: A stability issue affecting certain GPU configurations.” Microsoft’s release notes intentionally keep the language broad; no vendor‑ or model‑level list of affected GPUs was published in the update documentation.
• Secure Boot: The update includes expanded targeting for delivery of Secure Boot 2023 certificates to a broader set of client devices. The accompanying SSU replaces the older 2011-signed boot manager with a 2023-signed version on devices that already have the 2023 certificate authority in their UEFI database.
• Windows System Image Manager: A new warning dialog to help confirm that catalog files are from a trusted source.
• File History: Fixes for character-handling issues in Control Panel backups.

Microsoft notes no known issues at publication time for KB5078885, but because this update touches the boot path, administrators should be cautious and validate the update on test devices before mass deployment.

---

Secure Boot 2023: What’s changing and why it matters​

Why certificates are being updated​

Secure Boot relies on a chain of trust: firmware (UEFI) contains signature databases and certificate authorities used to validate the Windows Boot Manager (bootmgfw.efi) and other boot-time binaries. Over time Microsoft rotates and replaces signing certificates to maintain cryptographic strength and to revoke compromised keys. The Secure Boot 2023 changes are Microsoft’s planned rotation to newer signing certificates; Microsoft’s documentation warns that older certificates are set to expire beginning in June 2026, which would leave devices without the newer protections unless the certificate updates are applied.

What KB5078885 and its SSU do​

The servicing stack included with KB5078885 (listed separately as a combined SSU + LCU in the release notes) performs two related roles:

• It installs logic to replace an older 2011-signed bootmgfw.efi with a 2023-signed version when the device’s Secure Boot database already includes the Windows UEFI CA 2023 certificate authority.
• It expands the diagnostics-based targeting so that more devices that match Microsoft’s “high confidence” telemetry will be selected to receive the certificate updates automatically in a phased rollout.

Potential pitfalls​

• Devices whose firmware (UEFI/BIOS) is out-of-date or uses nonstandard Secure Boot keys can fail to boot if the device doesn’t have the expected certificate chain. Microsoft’s process aims to reduce that risk by only delivering certificates to devices that show successful update signals, but the possibility of boot failures exists for certain hardware/firmware combinations.
• OEM firmware that has been customized, or machines that use third-party boot managers or unsigned custom bootloaders, may encounter problems after the boot manager signature changes. Systems with modified Secure Boot databases (e.g., removed Microsoft keys) are at greater risk.
• Servers and cloud-hosted devices are less likely to be targeted automatically because Microsoft’s telemetry is limited for those environments; nonetheless, the update applies to enterprise SKUs where appropriate and administrators should follow server-specific guidance.

---

The GPU stability fix — what we know and what remains unclear​

Microsoft’s notes describe a generic “stability issue affecting certain GPU configurations.” That terse line is purposeful: it confirms that the March LCU contains a fix tied to graphics subsystem instability without enumerating which GPU vendors or driver versions are implicated.

Why the wording matters​

• When Microsoft uses the phrase “certain GPU configurations,” it typically signals a bug that depends on a combination of GPU hardware, driver version, and possibly other system factors such as graphics drivers from OEMs, presence of specific apps or kernel-mode components, or particular Windows graphics stack interactions.
• Past months have seen update-induced instability that manifested as explorer.exe crashes, taskbar or Start menu failures, and even blue screens (BSODs) tied to the DirectX driver stack (for example, dxgmms2.sys or GPU driver interactions). Microsoft’s approach here is to ship a focused quality fix to avoid leaving affected systems in a degraded state.

Reported symptoms in the wild​

Community reports over the past several months have described issues including:

• Explorer.exe hangs or crashes on sign-in, leading to missing taskbar and Start menu.
• Taskbar and Start menu elements becoming unresponsive or closing immediately when opened.
• Black screens or freezes when launching games or GPU-intensive apps (historically tied to driver/regression interactions).

While some incidents have been linked to Windows Update, others were resolved after OEM GPU driver updates were issued. Microsoft’s statement that this update addresses “certain GPU configurations” strongly suggests either:

• a Windows-side race condition or bug in the OS graphics stack that impacts multiple vendors under specific circumstances, or
• a compatibility problem triggered by a narrow set of drivers + hardware + software combinations.

Practical takeaways​

• If you have experienced Start menu, taskbar, or Explorer instability that began after recent updates, KB5078885 might be relevant — installing the update (on an ESU‑enrolled device) is the correct next step.
• For gaming or workstation machines, verify that you have the latest vendor driver (Nvidia/AMD/Intel) compatible with your OS build before and after applying the cumulative update.
• If your device uses third‑party shell replacements, performance utilities, or undocumented kernel drivers, treat the update as higher-risk and test it first.

---

How to get KB5078885: online, offline, and enterprise delivery​

Consumer and most small business devices​

• If your PC is enrolled in ESU, the simplest path is to open Settings > Update & Security > Windows Update and use Check for updates. Eligible devices will see KB5078885 offered automatically.
• ESU enrollment must be completed before updates are delivered; Microsoft provides an Enroll now wizard in Windows Update for eligible devices.

Offline/manual installers (.msu)​

• Microsoft publishes the standalone .msu packages via the Microsoft Update Catalog for offline or multi-machine installs. These packages are ideal for:
• Administrators managing disconnected environments.
• Technicians who maintain a local update media set.
• Situations where Windows Update isn’t delivering the update automatically (e.g., controlled WSUS configurations or blocked channels).

When using .msu installers:

• Verify your platform (x64 vs ARM64) and the correct Windows 10 version (21H2 vs 22H2).
• Ensure the latest SSU prerequisites are present—Microsoft lists the specific SSU baseline checks in the release documentation; missing SSUs can prevent the LCU from applying.
• Install SSUs first when required, then the LCU (.msu), and reboot as directed by the installer.

Enterprise channels: WSUS, WUfB, and SCCM​

• KB5078885 is available through WSUS and synchronized Update Catalog feeds when configured with the correct products/classifications.
• For SCCM/ConfigMgr environments, import the standalone packages or let the infrastructure sync them if policy allows; test the update in a controlled ring before broad deployment.
• Admin teams should coordinate firmware (UEFI) updates from OEMs alongside Microsoft’s certificate rollouts to minimize boot issues on older hardware.

---

ESU enrollment: eligibility and options (consumer guidance)​

Microsoft’s consumer ESU program provides a 12‑month extension of security updates for eligible Windows 10 consumer devices, with enrollment options that were rolled out ahead of the October 2025 end-of-support milestone.
Enrollment options commonly available include:

• Free (sync settings): Sync certain device settings to a Microsoft Account / cloud backup (Windows Backup) and enroll through the Settings wizard.
• Redeem Microsoft Rewards points: Redeem 1,000 Microsoft Rewards points for ESU activation on the eligible device(s).
• One-time purchase: Pay a one-time fee (the publicized $30 USD per device or local currency equivalent) to enroll.

Practical notes:

• Enrollment is per device; however, Microsoft supports multiple enrollments under the same Microsoft Account for a limited number of devices (verify limits during the enrollment flow).
• Enrollment requires signing into a Microsoft Account; local-only accounts will be prompted to link to a Microsoft Account during the ESU wizard.
• The ESU program extends updates only through October 13, 2026. It is a time‑boxed bridge, not indefinite support.

If you don’t see the Enroll now option in Settings, the rollout may still be staged in your region or OEM telemetry may have delayed eligibility. Microsoft’s wizard is the supported path for consumer enrollment.

---

Risk assessment and recommended precautions​

Applying monthly cumulative updates that touch boot or driver components always carries risk. KB5078885 includes changes to both the Secure Boot chain and the graphics stack, making cautious deployment prudent.
Recommended pre-deployment checklist

• Backup first. Create a full system image or at minimum a reliable file backup before applying updates—this is nonnegotiable for devices you cannot afford to have offline for extended remediation.
• Test ring. Validate the update on a small set of representative devices (consumer, business, and legacy hardware) before broad roll‑out.
• Firmware and driver updates. Confirm that device UEFI/BIOS firmware is current and that GPU drivers are at the vendor‑recommended levels.
• SSU prerequisites. Ensure required Servicing Stack Updates are installed first; Microsoft’s release notes enumerate the SSU baselines for offline images.
• Recovery plan. Have recovery media and a plan to restore from image or to roll back the update in environments where downtime is critical.

Known and potential issues to watch for

• Boot failures or “missing boot device” errors with Secure Boot enabled on older or heavily customized devices. If this occurs, try disabling Secure Boot temporarily only as an emergency recovery step and engage OEM support or firmware updates.
• Explorer / Start menu / taskbar failures that persist post-update. If these show up, check for updated GPU drivers and look for event log entries that point to driver or shell-module crashes.
• WSUS/SCCM synchronization hiccups. Admins managing older catalogs may find some updates are blocked until required baseline LCUs or SSUs are present in the images.

Flagging unverifiable claims

• Microsoft’s release notes do not publish a list of affected GPU vendors or specific driver versions; any claims naming a specific vendor as “definitively affected” should be treated as speculative unless backed by vendor advisories or Microsoft documentation.
• Community posts reporting boot failures after similar certificate rollouts exist, but these are incident reports; whether your specific hardware will be affected depends on firmware, OEM updates, and the presence of Microsoft’s 2023 CA in the device database.

---

Troubleshooting guidance if something goes wrong​

• If the system fails to boot after installing the update:
• Attempt a recovery using Windows Recovery Environment (WinRE). If Secure Boot is implicated and the machine is accessible, confirm Secure Boot state in firmware settings.
• If you can boot to WinRE, consider disabling Secure Boot only as an emergency troubleshooting step to confirm the cause; re-enable it after remediation.
• Use the system image or backup to restore if the device cannot be recovered quickly.
• If the Start menu or taskbar is missing/unresponsive:
• Restart Explorer.exe via Task Manager.
• Check Event Viewer for application or system crashes that reference explorer.exe, dxgmms2.sys, or GPU driver failures.
• Update GPU drivers to the latest signed vendor release; if the issue appeared after a recent driver update, roll back to the prior known-good version.
• If the update repeatedly fails to install:
• Ensure the required SSU is installed and that the device meets ESU enrollment criteria.
• Run the Windows Update Troubleshooter or the DISM and SFC utilities to repair component store corruption.
• For offline installs, confirm the correct .msu package for architecture and Windows version, and that prerequisites for image servicing are present.

---

Enterprise considerations and change control​

For IT teams managing fleets:

• Incorporate the Secure Boot certificate change into firmware testing and vendor engagement cycles. OEM firmware updates may be required to ensure the device UEFI maintains compatibility with the new CA.
• Use a staged deployment with telemetry and monitoring. Microsoft’s rollout is intentionally phased for certificate distribution—mirror that cautious approach in your rings.
• Coordinate with application owners for GPU/graphics-dependent workloads. Workstation-class devices, VDI hosts, and game/development rigs merit special attention for driver validation.
• Review WSUS/SCCM settings to ensure the new KB is synchronized and that your catalog includes requisite SSUs.

---

Final analysis and recommendations​

KB5078885 is a routine-looking cumulative update on paper, but the combination of a graphics stability fix and a servicing stack that modifies the boot manager signature elevates its operational importance. The Secure Boot 2023 rollout addresses an impending certificate rotation and is a necessary step in keeping the boot chain resilient against modern threats and cryptographic obsolescence. At the same time, changes to the boot path are inherently sensitive—one misaligned firmware/UEFI configuration or a missing OEM firmware update can turn a security improvement into a recovery incident.
The GPU stability fix is welcome, especially for users who suffered explorer.exe hangs, taskbar unresponsiveness, or crashes tied to game launches. Because Microsoft did not publish a vendor-specific list of affected GPUs, administrators and enthusiasts must rely on testing, vendor driver updates, and careful monitoring rather than guesswork.
Bottom line recommendations

• If you are an ESU‑enrolled consumer or run managed Windows 10 devices, plan a staged deployment: test on representative hardware, verify firmware and drivers, and keep recovery media and backups ready.
• For desktops used for gaming, creative work, or GPU-accelerated tasks, update GPU drivers in tandem with the cumulative update and validate major workloads.
• Don’t delay ESU enrollment if you want to keep receiving critical updates: enroll through the Settings > Windows Update flow, redeem Microsoft Rewards points, or use the one‑time purchase option if needed.
• Treat boot-path updates with heightened caution. Coordinate firmware updates from OEMs and document rollback procedures.

KB5078885 is an important quality-and-security update for the shrinking set of Windows 10 devices still on supported tracks. It addresses real stability pain for some users and prepares the platform for the Secure Boot certificate transition scheduled for mid‑2026. Apply it thoughtfully: plan, test, and ensure you have a recovery plan—especially for machines with custom firmware or legacy boot configurations.

---

Source: Windows Latest Windows 10 KB5078885 out with a GPU fix, Secure Boot 2023, direct download links for offline installers (.msu)