Microsoft Releases KB5063689 Update for Windows 11 24H2 & Windows Server 2025 Enhancing Security & Recovery

Microsoft has released the KB5063689 Safe OS Dynamic Update for Windows 11, version 24H2, and Windows Server 2025 on July 22, 2025. This update enhances the Windows Recovery Environment (WinRE) by addressing specific issues to improve system stability and security.
Key Highlights of KB5063689:

• Windows Secure Boot Certificate Expiration: The update includes critical information regarding the expiration of Secure Boot certificates starting in June 2026. To prevent potential boot issues, users are advised to update their certificates in advance. Detailed guidance is available in Microsoft's documentation on Windows Secure Boot certificate expiration and CA updates.
• Improvements to Windows Recovery Environment (WinRE): The update introduces enhancements to WinRE, focusing on system recovery processes to ensure a more reliable recovery experience.

Installation Details:

• Availability: The update is accessible through Windows Update and the Microsoft Update Catalog.
• Prerequisites: There are no prerequisites for applying this update.
• Restart Requirements: A system restart is not required after applying the update.
• Removal Information: Once applied, this update cannot be removed from the Windows image.
• Update Replacement Information: This update replaces the previously released update KB5059693.

Verifying Installation:
After installing KB5063689, the WinRE version on the device should be 10.0.26100.4187. To verify the installed WinRE version, users can utilize the provided PowerShell script "GetWinReVersion.ps1" with administrative credentials. The script outputs the installed WinRE version, confirming the successful application of the update.
File Information:
The English (United States) version of this update installs files with specific attributes. For all supported x64-based versions, key files include:

• storufs.inf: Not versioned, dated 13-May-25, size 26,264 bytes.
• storufs.sys: Version 10.0.26100.4187, dated 13-May-25, size 148,936 bytes.
• tpm.inf: Not versioned, dated 13-May-25, size 11,804 bytes.
• tpm.sys: Version 10.0.26100.4187, dated 13-May-25, size 374,176 bytes.
• hvloader.dll: Version 10.0.26100.4187, dated 13-May-25, size 226,744 bytes.
• hvax64.exe: Version 10.0.26100.4187, dated 13-May-25, size 1,951,152 bytes.
• hvix64.exe: Version 10.0.26100.4187, dated 13-May-25, size 2,049,480 bytes.
• skci.dll: Version 10.0.26100.4187, dated 13-May-25, size 340,320 bytes.
• iumbase.dll: Version 10.0.26100.4187, dated 13-May-25, size 51,072 bytes.
• iumdll.dll: Version 10.0.26100.4187, dated 13-May-25, size 38,704 bytes.
• tprtdll.dll: Version 10.0.26100.4187, dated 13-May-25, size 451,880 bytes.
• vertdll.dll: Version 10.0.26100.4187, dated 13-May-25, size 216,368 bytes.
• ucrtbase_enclave.dll: Version 10.0.26100.4187, dated 13-May-25, size 646,120 bytes.
• securekernel.exe: Version 10.0.26100.4187, dated 13-May-25, size 1,316,256 bytes.
• VbsSiPolicy.p7b: Not versioned, dated 13-May-25, size 75,322 bytes.
• SDFHost.dll: Version 10.0.26100.4187, dated 13-May-25, size 63,512 bytes.
• IumSdk.dll: Version 10.0.26100.4187, dated 13-May-25, size 30,448 bytes.
• Facilitator.dll: Version 10.0.26100.4187, dated 13-May-25, size 1,144,248 bytes.
• apisetschema.dll: Version 10.0.26100.4187, dated 13-May-25, size 148,936 bytes.
• tcblaunch.exe: Version 10.0.26100.4187, dated 13-May-25, size 1,010,296 bytes.
• tcbloader.dll: Version 10.0.26100.4187, dated 13-May-25, size 312,760 bytes.
• DrtmAuthTxt.wim: Not versioned, dated 13-May-25, size 20,919 bytes.
• winload.sys: Version 10.0.26100.4187, dated 13-May-25, size 1,199,784 bytes.
• winload.exe: Version 10.0.26100.4187, dated 13-May-25, size 1,888,512 bytes.
• winload.efi: Version 10.0.26100.4187, dated 13-May-25, size 3,265,952 bytes.
• bcrypt.dll: Version 10.0.26100.4187, dated 13-May-25, size 166,768 bytes.
• bcryptprimitives.dll: Version 10.0.26100.4187, dated 13-May-25, size 641,992 bytes.
• tcpip.sys.mui: Version 10.0.26100.4187, dated 13-May-25, size 255,488 bytes.
• tbs.dll: Version 10.0.26100.4187, dated 13-May-25, size 113,096 bytes.
• tbs.sys: Version 10.0.26100.4187, dated 13-May-25, size 79,280 bytes.
• ucrtbase.dll: Version 10.0.26100.4187, dated 13-May-25, size 1,373,312 bytes.
• msvcp_win.dll: Version 10.0.26100.4187, dated 13-May-25, size 641,960 bytes.
• nsi.dll: Version 10.0.26100.4187, dated 13-May-25, size 51,096 bytes.

For all supported Arm64-based versions, similar updates are provided with corresponding file versions and sizes.
Conclusion:
The KB5063689 update is a crucial release for users of Windows 11, version 24H2, and Windows Server 2025. By addressing potential Secure Boot certificate expiration issues and enhancing the Windows Recovery Environment, this update ensures improved system stability and security. Users are encouraged to apply this update promptly to maintain optimal system performance and security.

---

Source: Microsoft Support https://support.microsoft.com/en-us/topic/kb5063689-safe-os-dynamic-update-for-windows-11-version-24h2-and-windows-server-2025-july-22-2025-802529c3-3d67-4d7f-87bc-2f9f396799b0