Microsoft’s August non‑security preview for Windows 11, version 24H2—KB5064081 (OS Build 26100.5074)—arrived Friday packing a suite of staged AI features, the general availability of Windows Backup for Organizations, and a critical heads‑up: Secure Boot certificates used by most Windows devices are set to expire starting June 2026. Delivered as a combined servicing stack update (SSU) and cumulative update, the package continues Microsoft’s pattern of shipping underlying code and then exposing features gradually. That model gives IT teams early validation time but demands careful piloting and awareness of hardware gating, licensing checks, and operational caveats that can make two supposedly identical machines behave differently.

What’s inside KB5064081

The update targets all editions of Windows 11 24H2 and is available via Windows Update (as an optional preview), the Microsoft Update Catalog, and Windows Server Update Services. Because the SSU is bundled, administrators should note that removing the cumulative payload does not uninstall the servicing stack; rollback planning must account for that permanence. Microsoft documents two installation paths: using DISM to apply all .msu files from a single folder, or installing them individually in a strict order (first the standalone SSU, then the LCU). The second method mirrors the classic sequence, while the first lets DISM resolve dependencies automatically.

The feature list is broad. On the consumer side, four AI‑centric additions stand out, alongside a clutch of UI refinements and privacy controls. For enterprises, the headline items are the GA of Windows Backup for Organizations, the removal of PowerShell 2.0, and the Secure Boot certificate expiry warning. Many of the high‑visibility consumer features—Recall, Click to Do, File Explorer AI actions—are gradual rollouts that may not appear immediately after patching. Others, like the redesigned privacy prompt dialogs and the new Settings page for generative‑model permissions, are baseline changes activated without server‑side flags.

Consumer AI features: Recall, Click to Do, and File Explorer

Recall is being repositioned as a personalized productivity hub rather than a pure search tool. The updated interface shows Recent Snapshots and Top Apps & Websites on a new home page, with a left navigation bar to switch between Home, Timeline, Feedback, and Settings. Filters in Settings let users control what categories of activity are captured, addressing some of the original privacy backlash. Snapshots and metadata stay on‑device, but organizations with strict data‑residency policies will still want to review exactly what gets stored and for how long.

Click to Do now includes a first‑run interactive tutorial that walks users through its on‑screen actions for text and images. Tasks like summarising a paragraph, removing an image background, or triggering Visual Search become more discoverable. Where an action requires cloud processing—such as the Summarize integration with Microsoft 365 Copilot—licensing and network connectivity must be in place. IT teams should verify that users who will lean on these flows have the appropriate Microsoft 365 or Copilot entitlements.

File Explorer gains right‑click AI actions for images (background removal, Visual Search) and a Summarize command that calls Copilot. The Summarize action explicitly depends on Microsoft 365/Copilot availability and is gated to Copilot+ hardware, meaning users on traditional x86 PCs won’t see it. This hardware gating risks confusion at the help desk unless the support team is briefed on which features require a neural processing unit.

UI polish and privacy dialogs

Capability prompts for location, camera, microphone, and other sensors now dim the screen and center the dialog. The change makes it harder to accidentally grant permission and easier to focus on the request. A new “Text and Image Generation” page in Settings lists third‑party apps that have recently called the operating system’s generative models, with per‑app toggles to block access. This is the first system‑level transparency dashboard for on‑device AI, a concrete privacy win. Taskbar and search improvements include a larger clock, a grid image view for taskbar search results, and clearer indexing status messages.

Windows Hello and passkeys receive a visual refresh across sign‑in surfaces, and passkey flows have been streamlined. Cleaner UI is welcome, but any change to the authentication surface requires validation with single sign‑on products and conditional access policies. Pilot testing should explicitly cover passkey registration and Windows Hello re‑enrollment.

Task Manager adopts industry‑standard CPU workload metrics across its pages, with an optional “Legacy CPU Utility” column for those who prefer the older measurement. The switch aligns Windows with how other monitoring tools report processor load, reducing confusion when cross‑referencing performance data.

Enterprise changes and administration implications

Windows Backup for Organizations goes GA

Microsoft has promoted Windows Backup for Organizations to general availability. The service offers enterprise backup and restore workflows designed to shrink downtime during device migrations and hardware refreshes. For IT departments running Windows Autopilot or large imaging projects, this could streamline the user‑state handoff. However, it must be evaluated against existing backup, MDM, and user‑state virtualization solutions. A pilot at realistic scale—including branch‑office connectivity and large user profiles—is advisable before deprecating current tools.

PowerShell 2.0 removal

Starting with the August 2025 base image, Windows 11 24H2 no longer includes the legacy Windows PowerShell 2.0 engine. The component had been deprecated since 2017 and was already disabled by default in many environments, but organisations that rely on ancient scripts or third‑party tools written for PowerShell 2.0 will face immediate breakage. Inventory remediation is urgent. Most automation can be migrated to PowerShell 5.1 or 7.x, but the effort must begin now to avoid disruption when new machines roll out.

Secure Boot certificate expiry: June 2026 deadline

The most consequential warning in KB5064081 is that Secure Boot certificates on most Windows devices expire starting June 2026. If OEMs and IT teams do not update the relevant certificate authorities in firmware, affected machines could fail Secure Boot validation and refuse to boot securely—or worse, fall into an unsupported recovery path. This is a cross‑team project involving firmware vendors, hardware OEMs, internal imaging and security teams. The timeline is tight: organisations must inventory every device’s firmware/UEFI revision, track manufacturer bulletins for certificate updates, and apply firmware upgrades well before the expiry window. The risk isn’t hypothetical; it is a scheduled event that will cause production outages if ignored.

Reliability fixes and known issues

Quality fixes

The preview addresses several persistent bugs:
- Resilient File System (ReFS): fixes memory exhaustion when backup apps handle very large files.
- Input method editors: resolves rendering glitches in Chinese Simplified IME and fixes touch‑keyboard issues for Changjie, Bopomofo, and Japanese IMEs.
- Windows Hello: improves facial and fingerprint recognition reliability.
- Audio and Miracast: patches audio drops after casting and a service failure that could silence the system.
- System stability: corrects explorer.exe crashes related to dbgcore.dll and Kerberos cloud‑file‑share access.

These fixes reduce the noise in support queues and are especially relevant for mixed‑use fleets.

Known issues to watch

Cosmetic CertEnroll errors (Event ID 57)
After July/August updates, some devices log Event ID 57 from CertificateServicesClient: “The ‘Microsoft Pluton Cryptographic Provider’ provider was not loaded before… failed.” Microsoft says the entry is harmless and does not affect functionality. However, security‑information‑and‑event‑management (SIEM) tools that alarm on any error will generate false positives. Add an exception or correlation rule to your monitoring now; otherwise your SOC will waste cycles chasing a ghost.

NDI streaming regression
Following the August security update, users report delayed or stuttering audio/video when using Network Device Interface (NDI) to stream, particularly with Display Capture on the source PC. The workaround is to switch NDI Receive Mode to TCP. If your organisation relies on NDI for broadcasting or real‑time production, test the updated build on dedicated encoder hardware before rolling out broadly.

Reset and remote wipe failures
Earlier in August, the security rollup caused Reset my PC and remote wipe flows to fail. Microsoft released out‑of‑band fixes (e.g., KB5066189) to restore those recovery paths. Verify that those remedial updates are applied and that recovery workflows function in your pilot ring. For managed fleets that depend on RemoteWipe, skipping this step could leave a critical lifecycle operation broken.

Unverified storage disappearance reports
A handful of community posts describe storage vanishing after heavy write workloads post‑update. Microsoft investigated and recommended following official guidance; no confirmed root cause has been published. Treat these reports as unverified, but stress‑test storage‑intensive workloads in a lab before mass deployment.

Deployment checklist for IT

  1. Pilot broadly. Include Copilot+ hardware, standard corporate devices, lab machines used for imaging, and any machine involved in media streaming or NDI tasks.
  2. Validate recovery flows. Test Reset my PC, remote wipe, and Windows Backup restore before scaling.
  3. Tune monitoring. Exclude Event ID 57 from alerting thresholds to avoid alert fatigue.
  4. Inventory PowerShell 2.0 dependencies. Migrate scripts to PowerShell 5.1/7.x or isolate legacy hosts.
  5. Begin Secure Boot certificate remediation. Create a cross‑functional project team; link with OEM firmware schedules.
  6. Verify licensing for AI features. Confirm Microsoft 365/Copilot entitlements for users expected to use Summarize and other cloud‑dependent actions.

Editorial assessment

KB5064081 continues a pragmatic servicing strategy: ship code, then light up features gradually. The new AI tools are genuine productivity aids, and the privacy controls around generative models are a welcome addition. But the staged rollout and hardware gating create a two‑tier experience that will confuse users and complicate support scripts. The operational heavyweights are the PowerShell 2.0 deprecation and the Secure Boot certificate expiry; both demand planning and cross‑team effort right now. The preview itself is worth piloting, but only in a representative ring and only after reading the fine print on known issues. The Secure Boot warning alone should be enough to schedule a project kick‑off this quarter. Ignore it, and June 2026 will bring a wave of unbootable devices.

Microsoft’s support article provides the exact DISM commands for installation, and the update catalog page lists the required .msu files. Organisations that rely on Windows Update for Business can deploy the optional preview through the “Preview builds” toggle in their update rings. As always, keep a tested offline image for rollback—once the combined SSU+LCU is applied, the servicing stack cannot be removed.