Microsoft has published the August 2025 non‑security preview update for Windows 11, version 24H2 — delivered as KB5064081 and shipping an updated servicing stack that identifies as OS Build 26100.5074 — packing a mix of staged AI features, UI polish, reliability fixes, and several enterprise‑facing changes IT teams must plan for now. eH2 servicing stream continues to use combined servicing‑stack + cumulative update packages and a staged feature delivery model where code is often shipped but features are turned on in waves (gradual rollout) to subsets of devices. That model reduces installation overhead and gives Microsoft control over exposure, but it also means what you see on a PC can depend on server‑side flags, hardware eligibility (for Copilot+ features), and region.
This preview package is explicitly non‑sq) intended for wider validation and pilot deployments ahead of mainstream servicing. It bundles an updated servicing stack (SSU) with the latest cumulative payload; SSUs are critical because they harden the update pipeline, but they are effectively permanent once applied — plan rollback strategies accordingly.
Key administrative realities to remember:
- Build numbering: the 26100 family identiersion 24H2 servicing lane.
- Staged enablement: many high‑visibility features are gradual rollouts and may not appear immediately.components: several AI binary updates install only on Copilot+ compatible hardware or when licensing (Microsomits.
What’s shipping in KB5064081 (high‑level summary)
This preview includes multiple consumer and enterprise items across feature surfaces and incipal, user‑visible additions are focused on AI integration, UI updates, and privacy controls; enterprise additions include Windows Backup for Organizations availability and a clear deprecation path for legacy components.Highlights:
- Recall: new personalized homepage showing Recent Snapshots, Top Apps and Websites, and a left navigation bar for Home/Timeline/Feedback/Settings; filters allow control of what is captured.
- Click to Do: now includes a first‑run interactive tutorial to demonstrate on‑screen AI actions for text and images.
- File Explorer AI actions: Right‑click cone image edits and a Summarize action that integrates Copilot and Microsoft 365 (Summarize requires appropriate Copilot/M365esigned permission dialogs**: when apps request location, camera, microphone, etc., the UI dims the screen and centers the prompt to improve clarity.
- Taskbar and Search improvements: larger clock wiation center, grid image view for taskbar search, clearer indexing status messages.
- Windows Hello / Passkeys: modernized Windows Hello visuals and passacross sign‑in surfaces.
- Task Manager: switch to industry‑standard CPU workload metrics across pages with an optional legacy CPU Utility column for usersous metric.
- Windows Backup for Organizations: promoted to general availability for enterprise backup and restore Shell 2.0 removal: Windows 11, version 24H2 will no longer include Windows PowerShell 2.0 as of August 2025 — administrators should migrate scripts or keep legacy hosThe update also refreshes several AI component binaries** that are targeted at Copilot+ devices; these components arenot install on every Windows PC.
Deep dive: Consumer‑facing features that matter
Recall and productivity snapshots
Recall is being repositioned as a personalized productivity hub thaand the apps/websites you use most, helping users resume tasks faster. The new UI places Recent Snapshots and Top Apps and Websites front and center, with filters in Settings tred. This addresses a long‑standing need for integrated task resumption, but it also raises privacy questions about what activity is captured and where that metadata is stored.Click to Do and in‑place AI actions
Click to Do gains an onboarding tutorial and tighter integration for common actions (summarize text, remove image backgrounds, etc.). These on‑device experiences accelerate common tasks without leaving the desktop. Where actions require cloud processing or Copilot integration, Microsoft’s licensing model (Microsoft 365 / Copilot) may appluld verify licensing entitlements if they plan to enable these flows for users.File Explorer AI: convenience vs. control
Surface‑level AI actions in File Explorer (image edits, Visual Search, Summarize) are a meaningful productivity boost. The Summarize action explicitly depends on Microsoft 365/Copilot availability, and some AI features are gated to Copilot+ hardware. This is a high‑impact place to watch for user confusion (why a feature appears for one user but not anot).UI and privacy dialogs
The redesigned capability prompts (dim screen + centered dialog) are a straightforward usability improvement that reduces accidental consent. The privacy story is reinforced elsewhere — Settings now includes a Text and Image Generation page that lists third‑party apps that have recently called the OS‑level generative models and allows admins/users to toggle their access. This is one of thacing controls for on‑device generative AI usage and will be important for privacy‑conscious organizations.Enterprise changes and administration implications
Windows Backup for Organizations (GA)
Microsoft has advanced Windows Backup for Organizations to general availability in this update, offering enterprise backup and restore workflows intended to minimize downtime during device transitions and upgrades. This feature is positioned as an enterprise continuity tool and will matter to IT teams performing large refresh projects llouts. Evaluate the solution against existing backup/MDM strategies and pilot at scale before mass adoption.PowerShell 2.0 removal
The legacy Windows PowerShell 2.0 component, introduced in the Windows 7 era and deprecated since 2017, is being removed from the Windows 11 24H2 image starting in August 2025. Most modern automation targets PowerShell 5.1 or PowerShell 7.x, but organizations with legacy scripts or third‑party tools must identify and update those dependencies now to avoid disruption. Inventory and remediation are recommended.Secure Boot ce a hard date to plan for
Microsoft warns that Secure Boot certificates used by most Windows devices are set to expire starting in June 2026, and that failing to update certificates could affect Secure Boot validation and prevent certain devices from booting securely. This is a hard operational dependency requiring cross‑team coordination: firmware vendors, OEMs, internal imaging, and security teams must be involved. Start inventorying Secware/UEFI versions, and coordinate certificate/CA updates now.Reliability fixes and bug patches (selected)
This preview addresses a broad range of quality issues across input, file systems, and subsystems:- Resilient File System (ReFS): fixes memory exhaustion when backup apps work with large files.
- IME fixes: Chinese Simplified IME extended character rendering and other IME issues (touch keyboard, Changjie/Bopomofo/Japanese IMEs) are addressed.
- Windows Hello improvements: facial and fingerprint recognition reliability enhancements and a refr Audio and Miracast: fixes for audio dropping after casting and an underlying audio service failure that could stop audio.
- dbgcore.dll and explorer.exe: fixes to prevent crashes tied to dbgcore.dll and Kerberos cloud file share access.
Known issues at watch
This update’s release notes call out several known issues and ongoing investigations that warrant attentiveness nt.CertEnroll / Event ID 57 (Pluton cryptographic provider)
After July/August preview and cumulative updates, some devicevent ID 57 from CertificateServicesClient: “The ‘Microsoft Pluton Cryptographic Provider’ provider was not loaded befailed.” Microsoft characterizes this as a cosmetic log entry* that does not affect Windows functionality; no action is required for most customers. However, nrigger alerts and waste troubleshooting cycles — treat this as a monitoring and alert‑tuning checklist item.Caution: if your environment uses automated monitoring that escalates on any* error‑level event, add an exception or correlation rule for this specific Event ID to avoid false positives while Microsoft issues a permanent fix.
Network Device Interface (NDI) streaming regression
Following the August security update rollout, some users reported delays or uneven audio/video performance when using Network Device Interface (NDI) to stream feeds between PCs — particularly when Display Capture is used on the source PC. This affects apps like OBS Studio and NDI Tools. The recommended workaround is to change the NDI Receive Mode to use TRon and support pages describe the steps. Microsoft and NDI are investigating. If your organization uses NDI for real‑time production or broadcasts, test the updated builds on dedicated encoder/decoder hardware before rollout.regression (August security rollup)
Earlier in August, Microsoft acknowledged a critical regression in the August 12 security rollup that prevented some Reset my PC, Fix problems using Windows Update, and remote wipe flows from completing. Microsoft released out‑of‑band fixes (OOB cumulative updates such as KB5066189 for affected branches) to restore these recovery flows. If you depend on Reset/RemoteWipe for device lifecycle operations, confirm whether your systems applied the OOB remediations and validate recovery flows in your pilot ring.
Reports of disappearing storage after heavy writes (unverified, mixed telemetry)
Community reports surfaced about storage devices (somdwrite operations post‑update. These reports are mixed and not confirmed at scale; Microsoft investigated and advised administrators to follow official guidance and remediation paths. Until a confirmed, reproducible root cause is published, treat these reports as unverified and prioritize representative testing of storage‑heavy workloads in lab before mass rollout.Technical verification and installation mechanics
This preview is supplied as a combined package that includes a Servicing Stack Update and LCU elements. Microsoft documents the principal installatid Update for Business (Optional updates area for preview KBs).- Use DISM to apply locally downloaded MSU files together (put all MSUs in one folder and run DISM /Online /Add‑Package /PackagePath:<path>) or apply them individually in the order specified. The KB includes exact DISM and PowerShell Add‑WindowsPackage examples. Note that using WUSA to uninstall the combined SSU+LCU package will not remove the SSU; to remove the LCU you must use DISM /Remove‑Package with the LCU package name.
- Record your (out). Confirm target KB and SSU applicability.
- Ensure backups and recovery images are current; test a restore on a lab machine.
- Pilot in a small ring that mirrors production — include devices with Copilot+ hardware, domain-joined systems, and devices that perform critical tasks (NDI encoders, recovery Reset/Recovery flows after patching if you manage fleets relying on RemoteWipe/Reset.
- Audit scripts for PowerShell 2.0 dependence; convert or ensure compatibility with PowerShell 5.1/7.x.
Security, privacy, and compliance analysis
Secure Boot certificate expiry: operational risk
The announced Secure Boot certificate expiration window beginning in June 2026 is the most pressing multi‑year operational task updates. If OEMs/IT do not update relevant certificate authorities or firmware, affected devices could fail Secure Boot checks or fall into unsuppo paths. This is not a speculative risk — it is a scheduled expiry that needs planning. date coordination, and imaging policy updates should be completed well before June 2026.Data capture and generative AI controls
Features like Recall and system‑level generative tions:- Where is snapshot metadata stored and how long is it retained?
- Which apps can call theve models, and are those calls auditable?
Passkeys and Windows Hello UX
The new, cleaner passkey flows and Windows Hello visuals improve usability, but changes to authentication surfaces require validation with single sign‑on products, conditional access policies, and legacy credential stores. Plan pilot testing with SSO/IdP integrations.Deployment recommendations (practical playbook)
- Star (50–200 devices) that includes the following device types: Copilot+ hardware, standard corporate devices, lab machines used for imaging and recovery, and any machines that perform media streaming or NDI tasks. Validate major workflows: login, SSO, passkeys, backup/restore, Reset/RemoteWipe, video capture/streaming, and storage‑heavy backups.
- Tighten monitoring rules to avoid noise from known cosmetic errors (Event ID 57): either exclude that event from PagerDuty/alerting or add context to your runbooks so alerts are triaged appropriately.
- For production rollout, stage via Update rings (pilot → broad pilot → defineand use WSUS/Windows Update for Business to control exposure and deadline enforcement.
- If you use automated management or imaging, update your deployment images and test out‑of‑box flows after applying the combined SSU+LCU; SSU permanence complicates rollbacks. Keep a tested offline image that you canies.
- For organizations using Copilot/Microsoft 365 licensing features, coordinate licensing checks and confirm feature gating (some AI features will not appear unless licensing and hardware conditions are met).
What to watch next (monitoring & verification)
- Microsoft’s follow‑up guidance on the Secure Boot certificate program (firmware vendor bulletins, OEM toolkits). Begin tracking OEM firmware updates now.
tnt ID 57) and whether Microsoft issues a remediation or offers an official advisory to suppress the cosmetic entry. - NDI / streaming telemetry and any Microsoft hotfixes if broadcasters report continlow vendor guidance from NDI/OBS regarding Receive Mode.
- Any follow‑up to the storage disappearance reports; these were mixed and require corroboration across vendor telemetry beforrisk. Treat these as unverified until further notice.
Strengths, weaknesses, and an editorial assessment
Strengths
- The release continues a pragmatic pattern: ship underlying code, then enable features in a controlled, staged falast radius for regressions and allows Microsoft to iterate on UX and compatibility.
- New user controls for generative AI (Text and Image Generation settings) and redesigned privacy prompts are concrete prat give users and admins more visibility and control.
- Enterprise features such as Windows Backup for Organizations moving to GA and servicing stack updates that harden the update pipeline are strong operatiifecycle management.
Weaknesses / Risks
- The staged enablement model can create visibility and support confusion where two identical machines behave diff troubleshooting and documentation for help desks.
- Cosmetic but noisy logs (CertEnroll Event ID 57) can produce alert fatigue and misdirect resources unless moni The Secure Boot certificate expiry is a looming, time‑bound operational task that demands cross‑organizational effort; failure to plan risks boot failures and extended downtime for unmanaged devices.
- Conditional AI components and hardware gating (Copilot+ dependency) create a two‑tier experience that complicates helpdesk scripts, endpoint documentation, and user expectations.
Final verdict and steps for IT leaders
KB5064081 is a significant preview milestone for Windows 11, version 24H2: it packages progressive AIs meaningful enterprise tooling, and addresses a wide set of reliability issues — but it also surfaces operational caveats that deserve attention. The most urgent items for IT leaders are:- Begin id remediation planning for the Secure Boot certificate expiry (June 2026). Treat this as an enterprise‑wide project with firmware/OEM coordination.
- Pilot KB5064081 in a representative ring and verify Reset/Recovery, backup/restore, and streaming (NDI) workflows before wider deployment.
- Review and remediate any reliance on PowerShell 2.0. Convert legacy tooling to PowerShell 5.1/7.x or isolate legacy hosts.
- Tune monitoring to avon cosmetic events (Event ID 57) while preserving security sensitivity.
Conclusion
This August previ of how modern Windows servicing balances continuous feature delivery with risk mitigation. It advances productivity through AI‑driven integrations and tightens privacy controls, while also exposing classic operational fault lines — firmware and certificate lifecycles, backward compatibility with legacy scripting, and the complexity of staged rollouts. Treat KB5064081 as a high‑priority pilot candidate: test broadly, validate recovery and streaming scenarios, inventory and remediate legacy dependencies, and begin work now on Secure Boot co avoid a rushed, high‑risk migration next year.
Source: Microsoft - Message Center August 29, 2025—KB5064081 (OS Build 26100.5074) Preview - Microsoft Support
Last edited by a moderator: