Windows 11 KB5063878 0x80240069: WSUS/SCCM Fails and KIR Rollback

Microsoft has confirmed that the August 12, 2025 cumulative update for Windows 11 version 24H2 (KB5063878, OS Build 26100.4946) is failing to install on enterprise-managed devices when delivered via WSUS and SCCM, producing the Windows Update error code 0x80240069; Redmond is rolling a temporary Known Issue Rollback (KIR) and published guidance for IT administrators while engineers prepare a permanent servicing fix. (support.microsoft.com) (neowin.net)

Background​

Microsoft issued the August 12, 2025 cumulative security update identified as KB5063878 for Windows 11, version 24H2 (OS Build 26100.4946). The package is a combined Servicing Stack Update (SSU) plus Latest Cumulative Update (LCU), and contains routine security and quality fixes as well as updates to several AI components. The update is published through regular channels: Windows Update, Microsoft Update Catalog, and on-premises distribution via WSUS and Configuration Manager (SCCM/MECM). (support.microsoft.com)
Within hours of broad rollout, IT teams in some organizations began reporting that clients managed through WSUS/SCCM were failing to download or stage the update and logging a recurring error: “Unexpected HRESULT while download in progress: 0x80240069 WUAHandler.” Event logs captured the Windows Update host process (svchost.exe_wuauserv) terminating unexpectedly, with faulting module entries referencing ntdll.dll. The failure pattern is strongly tied to the managed-update code paths used by WSUS and SCCM rather than consumer devices that fetch updates directly from Microsoft Update. (windowslatest.com) (bleepingcomputer.com)

---

What is failing (symptoms and diagnostic fingerprint)​

The primary symptom set​

• WSUS/SCCM-managed clients show a “Download error” or “Failed to install” for KB5063878, with error code 0x80240069 visible in Software Center or the Windows Update logs. (windowslatest.com)
• Event Viewer entries contain the text: “Unexpected HRESULT while download in progress: 0x80240069 WUAHandler” and often show the Windows Update host service (wuauserv) terminating. (windowslatest.com)
• Crash dumps and faulting module lines often point to ntdll.dll and exception codes such as 0xc0000005. (windowslatest.com)

Where this tends to happen​

• The failures are consistently reproduced when devices obtain the update via on-premises management tooling (WSUS/SCCM/MECM), but the same package frequently installs successfully when a client downloads it directly from Microsoft Update or the Microsoft Update Catalog. This distinction suggests the problem lives in the enterprise delivery negotiation, metadata or variant-handling path rather than in the binary payload itself. (windowslatest.com) (borncity.com)

Ancillary log noise​

• Some administrators also reported cosmetic Event Viewer entries related to CertificateServicesClient-CertEnroll (Event ID 57) complaining about the Pluton Cryptographic Provider initialization. Microsoft characterized these particular logs as benign in the immediate term but advised monitoring and careful filtering rather than wholesale suppression. (borncity.com)

---

Why this matters to enterprise IT​

Modern enterprises rely on WSUS and MECM/SCCM to control update approvals, pacing, and compliance reporting. A delivery-path-only regression that prevents installation through those channels puts IT teams in a difficult operational position:

• Pause approvals and delay patching across hundreds or thousands of endpoints, or
• Deploy a targeted mitigation that restores delivery while preserving the applied security fixes, or
• Manually install the update on small sets of critical machines (labor-intensive and hard to audit).

The choice has immediate security and compliance trade-offs—deferring a security rollup risks exposure, while broad manual interventions add operational overhead and potential audit friction. Community reporting and enterprise telemetry show that the issue is environment-dependent and can amplify when organizations approve the update across large rings.

---

Likely technical root cause (working theory)​

Multiple independent investigations and Microsoft support traces converge on a leading hypothesis: the Windows Update Agent (WUA) is entering a variant selection or feature-management code path during WSUS/SCCM negotiations and encountering malformed or unexpected metadata that triggers a crash in the handler. In simple terms:

• Modern servicing supports variant payloads and feature rollouts that let Microsoft tailor payloads to device characteristics.
• WSUS and SCCM introduce additional metadata and approval steps which exercise WUA code paths not used by direct Microsoft Update clients.
• Under some payload/metadata conditions a variant-selection bug causes WUA to crash, and the update download/handler aborts, producing 0x80240069.

This explanation is consistent with the environment-specific nature of the failures and with the presence of crash fingerprints in the Windows Update host process. It is a working theory supported by community reproductions and Microsoft’s mitigation strategy (KIR), but Microsoft has not yet published a full post‑mortem at the time of writing. Treat the variant-selection diagnosis as the best available explanation, not an absolute root-cause postmortem. (borncity.com)

---

Microsoft’s response: Known Issue Rollback (KIR) and guidance​

Microsoft has acknowledged the delivery failures affecting enterprise-managed deployments of KB5063878 and is distributing a temporary mitigation via the Known Issue Rollback (KIR) mechanism. The KIR is intended to neutralize the specific behavioral change that’s triggering the crash without uninstalling the LCU/SSU security fixes themselves. Key points:

• Microsoft released a KIR policy package (delivered as an MSI that installs ADMX/ADML templates) that admins can deploy via Group Policy or Intune to apply the rollback across managed devices. Third‑party reports and Microsoft guidance identify the package label for 24H2 as a policy named along the lines of “Windows 11 24H2 and Windows Server 2025 KB5063878 250814_00551 Known Issue Rollback.” (neowin.net) (borncity.com)
• Microsoft is applying KIR to enterprise-managed devices where Microsoft controls the update flow and will ship a permanent servicing fix in a future cumulative update; once the permanent fix is available the KIR should be removed. (neowin.net)
• Redmond’s KB page for KB5063878 lists the package details and build number (OS Build 26100.4946) and remains the authoritative place to check file manifests and package contents; the Release Health dashboard and KIR rollout notes are the dynamic sources for mitigation status. (support.microsoft.com)

Note: the Microsoft KB page for the update may not list the WSUS delivery issue in the static KB content at the exact time you read it; the company’s Release Health entries and KIR documentation are the places Microsoft typically posts operational mitigations. Independent technology outlets also reported Microsoft’s acknowledgement and the availability of a Group Policy–deployed KIR package. (bleepingcomputer.com) (windowslatest.com)

---

Immediate mitigation options for administrators​

IT teams have three practical, widely documented options to resolve the failure quickly. Each has trade-offs; choose based on scale, compliance posture, and change-management constraints.

Option 1 — Deploy Microsoft’s Known Issue Rollback (recommended for most enterprises)​

• Download and run the KIR MSI on your Group Policy management workstation (or ingest the ADMX into Intune). The MSI installs Administrative Template definitions for the rollback policy. (neowin.net)
• Configure and apply the corresponding Group Policy object: Computer Configuration → Administrative Templates → [KIR policy node for KB5063878]. Target the policy using OU scoping or WMI filtering to apply only to affected rings.
• Reboot pilot machines to confirm the policy takes effect. If pilot validation shows success, roll out to the broader estate.

Benefits: minimal surface area change, centrally managed through GPO/Intune, reversible when Microsoft ships the permanent fix. Risks: management of the KIR lifecycle (remember to remove the policy after remediation), and administrative complexity at scale.

Option 2 — Registry-based Feature Management override (fast but blunt)​

• Community and support staff documented a registry override that forces Feature Management to bypass the problematic variant for a specific feature ID. Example registry snippet used by responders:
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\8\3000950414]
  "EnabledState"=dword:00000001
  "EnabledStateOptions"=dword:00000000
  "Variant"=dword:00000000
  "VariantPayload"=dword:00000000
• The same change can be deployed at scale via PowerShell (New-Item/New-ItemProperty) or via Configuration Manager scripts; a reboot is required. (windowslatest.com)

Benefits: immediate, scriptable, useful for small to medium estates that can push signed scripts quickly. Risks: it’s a blunt instrument that can suppress legitimate variant deliveries, harder to audit and rollback than a centrally managed GPO, and must be removed once Microsoft issues the permanent fix.

Option 3 — Manual install from Microsoft Update Catalog (stopgap for critical systems)​

• For a small set of high-value machines that cannot wait, download the MSU/CAB from the Microsoft Update Catalog and install locally (wusa.exe or DISM /Add-Package). This bypasses WSUS negotiation and, in many reported cases, succeeds where WSUS delivery fails. (windowslatest.com)

Benefits: targeted recovery for critical assets without changing group policy. Risks: doesn’t scale, breaks centralized compliance/patch reporting if not documented; labor- and audit-intensive.

---

Step-by-step deployment checklist (practical playbook)​

• Immediately check your test/pilot ring for fingerprints:
• Confirm OS build with winver and compare to 26100.4946. (support.microsoft.com)
• Collect Event Viewer logs from failing clients (search for “0x80240069” and “WUAHandler”). (windowslatest.com)
• Pause automatic WSUS approvals for KB5063878 in non‑critical rings until you’ve validated a mitigation path. This reduces the blast radius.
• If failures are widespread, deploy KIR MSI via GPO/Intune to a pilot OU and reboot the test endpoints. Validate repair of the download/install flow. (neowin.net)
• If a KIR MSI is not available in your environment, test the registry override on a small pilot and document rollout and reversion scripts. Use signed scripts and Configuration Manager as appropriate.
• For critical systems that must be patched immediately and cannot wait for broad mitigation, use manual installation from the Microsoft Update Catalog and keep strict records for compliance. (borncity.com)
• Monitor Microsoft’s Windows Release Health dashboard and the KB article for the permanent fix and detailed KIR lifecycle instructions; once Microsoft ships the correction, remove the KIR or registry overrides and validate normal update behavior. (support.microsoft.com)

---

Risks, trade-offs and governance considerations​

• Security vs. availability trade-off: Pausing approvals immunizes your estate from the WSUS delivery regression but leaves endpoints unpatched for the vulnerabilities addressed by KB5063878. Consider a hybrid approach: KIR + targeted manual installs for the most critical servers.
• Policy lifecycle management: KIRs are temporary. Leaving a rollback in place past the point Microsoft releases the permanent fix may block future variant deliveries unintentionally. Maintain runbooks and automated cleanup tasks to remove KIR policies when safe. (neowin.net)
• Change control and auditability: Registry overrides are fast but less auditable than GPO/Intune deployments. Use signed scripts, CMDB records, and change approvals to avoid confusing compliance reports.
• Event log noise: Cosmetic Event Viewer messages (e.g., CertEnroll Event ID 57) can create SIEM noise. Filter but do not suppress certificate-related logs globally in compliance-sensitive environments until the root cause is fully corrected. (borncity.com)

---

How this compares to past incidents — a worrying recurrence​

This WSUS-only 0x80240069 pattern is not new. A near-identical failure surfaced in April–May 2025 when a servicing regression disrupted WSUS deliveries to Windows 11 24H2; Microsoft issued a KIR and later shipped a servicing patch to permanently fix the issue. The reappearance in August suggests persistent fragility in variant/feature gating and in how variant metadata interacts with enterprise delivery paths. Repeat regressions in the same subsystem erode confidence in update reliability for larger organizations and underscore the need for realistic pilot rings that mirror production WSUS/SCCM flows. (bleepingcomputer.com)

---

Practical recommendations — an operational checklist​

• Maintain a conservative, representative pilot ring that mirrors production WSUS/SCCM flows; do not rely solely on consumer Windows Update testing for enterprise assurance.
• Favor Microsoft’s KIR MSI + GPO/Intune ingestion when available—this is the least invasive, most auditable fix for large estates. (neowin.net)
• If using registry overrides as a last resort, automate both deployment and reversion steps, document the change thoroughly, and apply only to small, validated pilot OUs before enterprise‑wide rollout.
• Keep incident response and SIEM teams informed; make careful choices about event filtering to avoid masking real certificate or system problems while suppressing known cosmetic logs. (borncity.com)
• After Microsoft releases the permanent servicing fix, remove temporary KIRs and registry overrides and validate update flows before approving future cumulative updates broadly. (neowin.net)

---

Final analysis — strengths and weaknesses in Microsoft’s approach​

Strengths:

• KIR is effective: Known Issue Rollback provides a surgical mitigation that preserves applied security patches while neutralizing a single problematic behavior—this reduces blast radius and allows organizations to keep most protections in place. (neowin.net)
• Reasonable guidance: Microsoft and community sources provide multiple remediation paths (KIR, registry override, manual catalog install), giving administrators options that match their risk posture and operational scale.

Weaknesses and risks:

• Recurring regressions: The recurrence of the WSUS delivery regression suggests fragility in variant/feature-gating logic and in testing coverage for enterprise delivery paths. Regressions like this complicate life for large-scale fleet operators who need predictable, auditable patching cycles. (bleepingcomputer.com)
• Operational friction: Rapid emergency mitigations place heavy operational burdens on IT teams—especially those that must maintain strict change control and audit trails. The need to test and then remove KIRs increases lifecycle complexity.

---

Conclusion​

The August 12, 2025 Windows 11 cumulative update (KB5063878, OS Build 26100.4946) addresses important security and quality issues, but a delivery-path regression that affects WSUS and SCCM-managed clients has surfaced and is preventing installations with error 0x80240069. Microsoft’s known-issue-rollback mechanism offers a pragmatic, managed path to containment, and administrators now have three pragmatic choices—deploy the KIR via Group Policy/Intune, apply a targeted registry override, or perform manual catalog-based installs for critical systems—each with clear trade-offs. The incident underscores two persistent truths for enterprise operations: test on realistic, production-like update paths, and retain disciplined runbooks for emergency mitigations and their removal. Keep monitoring Microsoft’s Release Health guidance and the KB signposts for the permanent fix, and plan for a controlled removal of any temporary remediation once Redmond publishes the corrected servicing update. (support.microsoft.com) (neowin.net)

---

Source: heise online Microsoft: Windows 11 updates for August via WSUS fail