Windows 11 24H2 August Patch Tuesday: SSU/LCU, Copilot+, Black Screen, QMR

Microsoft’s August Patch Tuesday lands as a combined servicing stack and cumulative update that not only patches the usual security holes but also delivers a substantive set of user-facing improvements for Windows 11 version 24H2 — including Copilot+ feature updates, a redesigned unexpected‑restart experience (the “black” screen that replaces the long‑standing blue screen), and a new Quick Machine Recovery mechanism aimed at shortening downtime after crash events. (support.microsoft.com)

Background / Overview​

Microsoft published the August 12, 2025 cumulative update for Windows 11, version 24H2 as KB5063878 (combined Latest Cumulative Update + Servicing Stack Update), moving 24H2 clients to OS Build 26100.4946. The package includes a bundled SSU (listed inside the combined installer as KB5065381, servicing‑stack build 26100.4933), conditional AI component updates for Copilot+ hardware, and the routine monthly security mitigations. (support.microsoft.com)
Microsoft continues to use the combined SSU+LCU model to reduce failed installations and sequencing problems: the servicing stack that applies updates is refreshed as part of the same payload, which simplifies deployment but also means administrators must treat SSU changes as effectively permanent once applied. (support.microsoft.com)
Why this release matters beyond the headline fixes: Microsoft used the August notes to reiterate an ecosystem‑level operational program — several Secure Boot certificates issued in 2011 will begin expiring in mid‑2026 — which requires coordinated firmware and OS updates across OEMs and managed fleets to avoid pre‑boot updateability or boot‑time trust issues. That advisory elevates this Patch Tuesday from routine maintenance to an important planning milestone for IT teams. (support.microsoft.com)

---

What’s in KB5063878 — feature and component summary​

The update mixes security and quality work with a cluster of conditional AI and resilience features. The most notable items are:

• Servicing stack update (SSU): KB5065381 bundled inside the combined package to harden the update pipeline. SSUs are permanent once installed and complicate rollback planning. (support.microsoft.com)
• OS build: Installs as OS Build 26100.4946 for Windows 11, version 24H2.
• AI / Copilot+ component refresh: Image Search, Content Extraction, Semantic Analysis, and Settings Model updated to version 1.2507.793.0 — these binaries are conditionally installed only on eligible Copilot+ PCs with required NPU hardware and OEM enablement. (support.microsoft.com)
• Recall and Click to Do improvements (Copilot+ PCs): EU availability for Recall in the EEA, a Reset Recall option, and new Click to Do actions (Reading Coach practice, Immersive Reader, Draft with Copilot in Word, Teams message/meeting actions). These features are rolling‑out and are hardware/region‑dependent. (thurrott.com) (windowscentral.com)
• New unexpected‑restart UI + Quick Machine Recovery (QMR): A redesigned, streamlined screen replaces the classic Blue Screen of Death; improved crash‑dump collection and backend changes reduce user downtime dramatically and QMR provides automated remediation via Windows RE for systems that fail repeated restarts. (blogs.windows.com) (theverge.com)
• Search and Settings UX consolidation: Windows Search settings are consolidated into a single page under Settings > Privacy & security > Search.
• Snap Layouts and touch improvements: Snap Bar hints, Snap menu hover tips, and a new gamepad layout for the touch keyboard (including gamepad PIN sign‑in on the lock screen).

These features will be rolled out gradually, gated by region, hardware capability (notably Copilot+ NPUs), and staged Microsoft rollout policies. Users may not see every item immediately after installing KB5063878.

---

Deep dive: the new unexpected‑restart experience and Quick Machine Recovery​

What changed visually and behaviorally​

• The classic Blue Screen of Death is being replaced for Windows 11 24H2 with a streamlined black unexpected‑restart screen that better matches Windows 11’s visual language and removes the emotive “frowny face” and QR‑code clutter. The new screen retains the stop code and technical detail (including a hex stop code) so diagnostics remain possible for IT. (blogs.windows.com) (theverge.com)
• The screen is not merely cosmetic. It’s paired with backend improvements in how crash dumps are collected and processed to shorten how long a device sits on that screen.

How downtime is reduced​

Microsoft reports that improvements to crash‑dump collection and the new path through the restart flow reduce the time spent on the unexpected‑restart screen from about 40 seconds to as little as 2 seconds for most consumer devices. That figure comes from Microsoft’s resiliency briefings and the Windows IT Pro communications; real‑world results will depend on device hardware, drivers, and how administrators configure dump collection and related diagnostics. (techcommunity.microsoft.com) (blogs.windows.com)
Caveat: the “2 seconds” is a typical‑case number tied to the new default behavior and small‑memory dump options; environments that require full kernel dumps for forensic purposes may see a different trade‑off between diagnosability and restart speed. Administrators who need richer dumps should configure policy deliberately and validate the behavior in test rings. (techcommunity.microsoft.com)

Quick Machine Recovery (QMR) — what it does and who controls it​

• Purpose: QMR is designed to automatically diagnose and remediate widespread boot or driver issues that would otherwise leave devices stuck in Windows Recovery Environment (Windows RE) and require manual IT intervention at scale. It can fetch and apply targeted remediations via Windows Update while the device is in WinRE, then reboot back to Windows if remediation succeeds. (blogs.windows.com) (helpnetsecurity.com)
• Controls: QMR is enabled by default on Windows 11 Home; on Pro and Enterprise, IT administrators control the feature and can set policies for whether automatic remediation is allowed, how frequently it scans for fixes, and which remediation channels it uses. Microsoft will add additional customization for IT later in the release cycle. (blogs.windows.com) (bleepingcomputer.com)
• Operational benefits: QMR reduces the manual workload for mass outages, shortens mean time to repair (MTTR), and lets Microsoft push targeted fixes into WinRE to restore affected fleets quickly. For high‑security or air‑gapped systems, this can be disabled or tightly controlled so remediation actions are auditable and constrained. (bleepingcomputer.com)

Practical implications and risks​

• Benefit: Faster recovery and less end‑user disruption for common crash scenarios. QMR can be a lifesaver during large, driver‑triggered outages that would otherwise require significant IT time per device. (windowsforum.com)
• Risk: QMR requires network connectivity and the ability to fetch remediation packages via Windows Update or Microsoft’s channels. In highly restricted networks or strict security perimeters, enabling QMR without an approved remediation workflow could introduce policy or supply‑chain concerns. Organizations that need full control over what's applied should stage QMR in a pilot ring and validate the remediation repository and signing policy before enabling auto‑remediation broadly. (blogs.windows.com)

---

Copilot+, Recall, and Click to Do: what’s rolling out and where​

Windows 11’s AI layer continues to evolve, but important distinctions remain:

• Conditional delivery: AI component binaries are shipped with KB5063878 but only install on eligible Copilot+ PCs that meet Microsoft’s hardware, firmware, and licensing criteria (NPUs and OEM enablements). Non‑Copilot devices and server SKUs will not receive these binaries. (support.microsoft.com)
• Recall: The conversational, AI‑powered Recall preview is expanding to the European Economic Area (EEA) for Copilot+ PCs. Users will also find a Reset Recall option under Settings > Privacy & security > Recall & Snapshots to delete the Recall dataset. These items are preview or gated features and will be rolled out gradually. (thurrott.com)
• Click to Do: Gains new actions for Copilot+ users — including Practice in Reading Coach, Read with Immersive Reader, Draft with Copilot in Word, and Teams integrations (send message, schedule meeting). Expect rollout to be selective by hardware and region. (windowscentral.com)

Operational note: administrators tracking AI feature exposure should audit device eligibility (NPU presence and Copilot+ licensing), feature flags, and telemetry to ensure the right subsets of users receive the new capabilities.

---

Secure Boot certificate timeline — why the August update reiterates a bigger program of work​

Microsoft used the August update to reemphasize a cross‑ecosystem program: several Secure Boot certificates issued in 2011 are scheduled to start expiring in June 2026, with additional expirations later in 2026. Devices that do not acquire the replacement 2023 CA chain before expiration may lose the ability to receive pre‑boot updates or encounter Secure Boot trust issues. (support.microsoft.com)
Key operational points:

• The Secure Boot trust anchors live partially in firmware (UEFI variables) and partially in OS‑managed stores; remediation often requires both an OS update and OEM firmware updates that accept and persist new KEK/DB entries.
• Consumer devices that accept updates directly from Microsoft and OEMs will typically be updated automatically. Managed, restricted, or air‑gapped fleets must plan an offline or manual workflow to apply the 2023 CA chain into firmware/NVRAM prior to the expiration window.

Checklist for administrators (practical steps):

• Inventory devices with Secure Boot enabled and catalog OEM/firmware versions.
• Confirm which devices will receive Microsoft/OEM automatic updates and which require manual intervention.
• Test certificate/firmware updates in a controlled ring, validating boot behavior and pre‑boot updateability.
• Communicate timelines and remediation procedures to operations teams and change control.
• Prepare rollback and exception processes for devices that cannot accept the new certificates without OEM firmware changes.

---

Security summary and the Patch Tuesday numbers​

Third‑party reporting and vendor summaries for August 2025 indicate a substantial security footprint this month. Independent outlets referenced Microsoft’s security rollup and third‑party trackers; one industry summary noted that Microsoft addressed a broad set of vulnerabilities in its August rollup and that the Zero Day Initiative provided an aggregated overview of the month’s CVEs. Some coverage reported counts (for example, a figure of 107 new vulnerabilities with 12 rated Critical appeared in early industry summaries), but those tallies vary by counting method (Microsoft‑only CVEs vs. third‑party component CVEs) and occasionally differ between vendor trackers. Administrators should rely on Microsoft’s Security Update Guide and their internal CVE mapping to determine exact exposure for their environment. Flag: where third‑party counts differ from Microsoft’s published guidance, treat them as vendor summaries that may include additional non‑Microsoft CVEs or alternate counting rules. (thurrott.com)
Actionable security guidance:

• Prioritize installing the August updates promptly on internet‑facing and high‑risk assets.
• Map August CVEs from Microsoft’s Security Update Guide to your asset inventory and prioritize based on exploitability and exposure.
• Test combined SSU+LCU packages in a pilot ring first — SSUs are effectively non‑removable and change rollback planning. (support.microsoft.com)

---

Deployment and rollback considerations (administrators’ checklist)​

• Stage: Use a multi‑ring deployment (pilot → broad) and monitor telemetry and crash‑rate metrics before mass rollout.
• SSU caution: Because the servicing stack is upgraded inside the combined package (KB5065381 inside KB5063878), remember that SSUs cannot be uninstalled separately. Validate rollback and offline image update procedures ahead of time. (support.microsoft.com)
• Copilot+ gating: AI component binaries are conditional — include checks in deployment scripts so non‑eligible devices do not fail installations attempting these payloads.
• Recovery controls: For organizations that require absolute control over what runs in WinRE, review Quick Machine Recovery settings and policy controls for Pro/Enterprise devices before enabling automatic remediation at scale. (bleepingcomputer.com)
• Secure Boot planning: Start the Secure Boot certificate transition program now — inventory, coordinate with OEMs for firmware updates, and test the end‑to‑end replacement process in lab conditions.

Suggested step sequence for a controlled rollout:

• Validate the combined package in a small pilot group (representative hardware/driver combos).
• Verify crash‑dump configuration and decide whether to opt for small dumps to benefit from faster restarts.
• Confirm SSU application and offline image servicing paths (DISM / WSUS catalogs).
• Test QMR behavior in a segregated pilot environment to validate policy and remediation trust paths.
• Monitor for post‑install regressions for 72 hours before opening to additional rings.

---

Strengths, opportunities and risks — critical analysis​

What Microsoft did well

• The August release ties UX polish with foundational engineering: the redesigned unexpected‑restart screen is backed by substantial changes in dump collection and recovery mechanics, which is the right approach rather than just a cosmetic refresh. (techcommunity.microsoft.com)
• Bundling SSU+LCU reduces installation sequencing problems and simplifies patching for many organizations. (support.microsoft.com)
• Quick Machine Recovery is an important operational feature that can dramatically reduce the human workload during widespread boot issues. It addresses a real pain point exposed by last year’s large outage. (bleepingcomputer.com)
• The conditional AI rollout (Copilot+ binaries only on eligible devices) is a pragmatic way to progress AI features without imposing them on legacy hardware.

Risks and areas that demand attention

• SSUs are effectively permanent; administrators must plan their rollback and recovery strategies carefully. A combined package can complicate emergency rollback if not rehearsed. (support.microsoft.com)
• Quick Machine Recovery’s power to fetch and apply remediations from WinRE is powerful but requires trust in the remediation pipeline. In tightly controlled environments this needs explicit policy and auditability before enabling automatic remediation. (blogs.windows.com)
• The Secure Boot certificate expiration program is a cross‑vendor and multi‑quarter operational project — organizations that delay planning risk having devices unable to receive pre‑boot updates or even failing to validate boot components. Proactive inventory and OEM coordination are essential.
• AI features remain gated by hardware, which creates heterogeneity in user experiences across an organization; change management and support teams need clear documentation to avoid confusion.

---

Quick reference: technical identifiers and install notes​

• KB (24H2): KB5063878 — installs as OS Build 26100.4946. (support.microsoft.com)
• Bundled SSU: KB5065381 — servicing‑stack build 26100.4933 (included in combined package). (support.microsoft.com)
• Applicability: 24H2 feature updates and conditional Copilot+ AI components; KB5063875 is the companion combined package for 22621/22631 servicing families and contains parity security fixes but no 24H2 feature rollouts.
• How to get it: Windows Update and Windows Update for Business will distribute the package; offline MSU files are available in the Microsoft Update Catalog. If using WSUS or SCCM, ensure the correct product/classification settings are synchronized. (support.microsoft.com)

---

Post‑update troubleshooting and diagnostics​

• If unexpected restart behavior appears after deployment, collect kernel and user dumps per your organization’s diagnostic policy and use the new hex stop codes displayed on the black screen to map issues quickly.
• For devices that do not boot correctly after update, QMR may enter WinRE and attempt remediation if enabled. If QMR is disabled or fails, follow established offline remediation workflows (WinRE tools, offline servicing via WinPE). (helpnetsecurity.com)
• If a device becomes unstable after copilot‑related component installation, confirm hardware eligibility and review OEM drivers for pending updates — AI payloads install only on supported Copilot+ hardware and can be excluded in managed images to reduce variance.

---

Conclusion​

August’s Patch Tuesday (KB5063878 for Windows 11, version 24H2) is more than a routine security rollup: it couples important servicing‑stack work and security fixes with targeted AI updates for Copilot+ hardware, a redesigned unexpected‑restart experience that reduces downtime, and a recovery mechanism (Quick Machine Recovery) designed to cut MTTR for widespread boot failures. These changes reflect a broader shift from purely reactive patching toward integrated resilience engineering — but they also introduce operational decisions for administrators around SSU permanence, QMR controls, and the Secure Boot certificate transition. Apply the update in staged rings, validate diagnostic and remediation settings, and start Secure Boot readiness planning now to avoid last‑minute disruption. (support.microsoft.com) (blogs.windows.com)

---

Source: Thurrott.com Microsoft Releases August 2025 Patch Tuesday Updates