• Thread Author
Here is a summary of the update described in the Microsoft Support KB article for KB5062688 (Safe OS Dynamic Update for Windows 11, version 24H2 and Windows Server 2025, released July 8, 2025):

'Windows 11 24H2 & Windows Server 2025 KB5062688 Update Enhances Recovery & Security'Summary

  • This update improves the Windows recovery environment (WinRE) for Windows 11 24H2 and Windows Server 2025.
  • It fixes an issue where USB-C was not working correctly on Arm64-based devices due to a missing UCMUCSI device.

Important Notice: Secure Boot Certificate Expiration

  • Secure Boot certificates for most Windows devices will start expiring in June 2026.
  • If not updated, this could prevent some devices from booting securely.
  • Action is strongly recommended to update certificates in advance. (See Windows Secure Boot certificate expiration and CA updates for guidance.)

How to Get This Update

  • Windows Update: Downloaded and installed automatically.
  • Update Catalog: KB5062688 in Microsoft Update Catalog — includes instructions for manual installation and adding to WinRE.
  • WSUS/SCCM: Will sync automatically if you select the correct products and classification ("Windows 11" and "Update" for 24H2; "Microsoft Server operating system-24H2" and "Update" for Server 2025).

Update Details

  • Prerequisites: None.
  • Restart required: No.
  • Removal: Cannot be removed after being applied.
  • Replaces: KB5060843.
  • Verification: After installing, WinRE version should be 10.0.26100.4648.

How to Verify Installation

Several methods are described (including a PowerShell script, checking Event Viewer, or using DISM) to confirm the installed WinRE version.

File Information

Lists detailed file versions for all supported platforms (Windows 11 24H2 and Windows Server 2025).

For details, remediation steps, and scripts, see the original article.

Source: Microsoft Support KB5062688: Safe OS Dynamic Update for Windows 11, version 24H2 and Windows Server 2025: July 8, 2025 - Microsoft Support
 

Last edited:
'Microsoft Releases KB5062688 Update for Windows 11 24H2 & Windows Server 2025 Enhancing Recovery & Security'
Microsoft has released the KB5062688 Safe OS Dynamic Update for Windows 11, version 24H2, and Windows Server 2025, dated July 8, 2025. This update enhances the Windows Recovery Environment (WinRE), ensuring a more robust and secure recovery process.
Key Highlights:
  • Windows Secure Boot Certificate Expiration: Microsoft emphasizes the impending expiration of Secure Boot certificates starting in June 2026. To maintain secure boot functionality, users are advised to update their certificates promptly. Detailed guidance is available in Microsoft's official documentation.
  • Update Details: The KB5062688 update focuses on improving the Windows recovery environment, enhancing system stability and security during recovery operations.
Installation Information:
  • Availability: The update is accessible through Windows Update and will be downloaded and installed automatically.
  • Prerequisites: There are no prerequisites for this update.
  • Restart Requirements: A system restart is not required after applying this update.
  • Removal Information: Once applied, this update cannot be removed from the Windows image.
  • Update Replacement: This update replaces the previously released KB5059693.
Verifying Installation:
To confirm the successful installation of this update, users can check the WinRE version on their device. After installation, the WinRE version should be 10.0.26100.4187.
Methods to Verify WinRE Version:
  • Using PowerShell Script:
    Microsoft provides a PowerShell script named "GetWinReVersion.ps1" to retrieve the installed WinRE version. Running this script with administrative privileges will display the current WinRE version.
  • Viewing WinREAgent Servicing Event:
  • Open the Event Viewer.
  • Navigate to Windows Logs > System.
  • Use the "Find" function to search for "WinREAgent."
  • Look for Event ID 4501 indicating a successful servicing event.
  • Using DISM Command:
  • Open Command Prompt with administrative privileges.
  • Execute the following command:
    dism /image:C:\ /get-packages | findstr /i winre
  • This command will display the installed WinRE package and its version.
Additional Resources:
  • Windows Secure Boot Certificate Expiration: For comprehensive information on the Secure Boot certificate expiration and steps to update, refer to Microsoft's official guidance.
  • Update Windows Installation Media with Dynamic Update: To learn more about updating Windows installation media with Dynamic Updates, visit Microsoft's Learn platform.
Staying updated with the latest Safe OS Dynamic Updates is crucial for maintaining the security and stability of Windows systems. Regularly applying these updates ensures that the recovery environment remains effective and resilient against potential issues.

Source: Microsoft Support KB5062688: Safe OS Dynamic Update for Windows 11, version 24H2 and Windows Server 2025: July 8, 2025 - Microsoft Support
 

Last edited:
Back
Top