The August 2025 security update for Windows 11 version 24H2, KB5063878, is more than a routine monthly patch — it’s a vehicle for Microsoft’s increasingly loud warning that Secure Boot certificates powering virtually every modern Windows machine will start expiring in June 2026. Build 26100.4946 bundles quality fixes, a servicing stack refresh, and AI component upgrades exclusive to Copilot+ hardware. But the real headline is the looming certificate rollover that could cut off boot-time update delivery for devices still relying on legacy 2011 certificates, turning a routine maintenance cycle into a compliance race.

Microsoft delivered the update on August 12, 2025 through Windows Update, Windows Update for Business, WSUS, and the Microsoft Update Catalog. It follows the now-familiar combined SSU+LCU model, meaning the servicing stack (KB5065381, version 26100.4933) is embedded within the cumulative package. The company reported no known issues with this release at press time, but the repeated emphasis on Secure Boot readiness makes clear that the June 2026 deadline isn’t a distant concern; it’s a planning trigger that should influence how organizations test and deploy updates right now.

What’s inside KB5063878

Sign-in delay fix and security updates
The headliner for end users is a targeted patch that eliminates an authentication delay occurring on newly provisioned or first-boot devices. Microsoft states that certain preinstalled packages were causing a noticeable lag during sign-in, a pain point for IT teams imaging hundreds of machines. Beyond that, the update addresses multiple security vulnerabilities; detailed CVE mapping is available in the Security Update Guide, as the KB article itself provides only high-level descriptions of the fixed categories.

AI components only for Copilot+ PCs
KB5063878 ships updated binaries for four AI engines:
- Image Search (1.2507.793.0)
- Content Extraction (1.2507.793.0)
- Semantic Analysis (1.2507.793.0)
- Settings Model (1.2507.793.0)

These are packaged in the cumulative update but install only on Windows Copilot+ PCs — systems that meet specific hardware requirements, including an integrated NPU. Standard Windows 11 or Windows Server machines will skip these components automatically. The selective deployment limits compatibility exposure while allowing Microsoft to iterate on AI-powered features like on-device image search, content analysis, and context-aware settings without affecting the broader install base.

Servicing stack update (SSU)
Bundled SSU KB5065381 refreshes the update pipeline itself. Microsoft’s own guidance is unambiguous: SSUs are effectively non-removable once installed, and skipping them can lead to update failures or even boot problems in degraded states. For admins, this means a failed SSU installation is not a simple uninstall scenario — recovery may require system restore or image rollback. The combined package reduces the chance of a missing SSU dependency, a benefit for organizations that synchronize updates manually.

The Secure Boot certificate expiration: a ticking clock

Microsoft has been transparent about the deadlines, but the inclusion of preparatory guidance inside a monthly security update signals urgency. Beginning in June 2026, the Microsoft Corporation KEK CA 2011 and the Microsoft UEFI CA 2011 certificates will expire. A second wave in October 2026 affects the Windows Production PCA 2011. These certificates are embedded in UEFI firmware and underpin the boot chain — they verify the digital signatures of boot loaders, option ROMs, and other pre-boot components before the OS even loads.

If devices carry the legacy 2011 certificates past their expiry without updating to the 2023 replacements, three critical failures become likely:
- The UEFI firmware will no longer trust newly signed boot components, including Windows Boot Manager updates.
- Microsoft will be unable to distribute Secure Boot updates via Windows Update, leaving the boot environment unpatched against emerging threats.
- Virtual machines that depend on the host firmware’s Secure Boot state can also be affected, broadening the impact to server environments.

The replacement certificates — Microsoft Corporation KEK CA 2023, Microsoft UEFI CA 2023, and Windows UEFI CA 2023 — must be inserted into the appropriate Secure Boot databases (KEK and DB) either through a Windows Update-delivered payload or via OEM firmware updates. For Microsoft-managed devices (most consumer machines and many enterprise ones), the company plans to push the new certificates automatically. For air-gapped or heavily locked-down environments, manual intervention is required.

Microsoft’s guidance: the opt-in path and OEM coordination

In the KB documentation and its companion Secure Boot support article, Microsoft offers a clear playbook:
- For consumer devices, keep Windows Update enabled and ensure Secure Boot is on (verify with msinfo32; Secure Boot State should read “On”).
- For IT-managed fleets, coordinate with OEMs to confirm firmware support for the 2023 certificate updates. OEM firmware is the bedrock that enables insertion of new Secure Boot variables. Without a compatible UEFI version, the OS-level update cannot complete.
- For organizations that want Microsoft to handle the certificate update on managed devices, a registry opt-in key exists: set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot\MicrosoftUpdateManagedOptIn to 0x5944. Microsoft cautions that changing telemetry settings or registry values should align with organizational policy.
- Air-gapped systems require offline procedures, often involving a manual injection of the certificate payload and close coordination with the hardware vendor.

The work can’t be put off until June 2026. The certificate rollover is not a single event but a multi-phased transition. Some OEM firmware updates are already available; others are scheduled through 2025. Enterprises need to inventory their hardware, identify which models will require firmware refreshes, and schedule those updates ahead of the 2026 cutoff.

Deployment best practices for KB5063878 and beyond

Quick checklist for admins
1. Inventory devices by management model: Microsoft-managed vs. WSUS/ConfigMgr vs. air-gapped.
2. Verify Secure Boot is enabled on all critical hardware.
3. Check with major OEMs for updated firmware versions that support the 2023 KEK/DB.
4. Stage KB5063878 in a pilot ring of representative devices, testing boot flow, driver compatibility, and business-critical applications.
5. Monitor the Windows Health Dashboard and the official Secure Boot certificate rollout landing page for real-time advisories.

Installation paths
- Windows Update / Automatic: The lowest-friction method for unmanaged or Microsoft-managed devices.
- Windows Update for Business: Use deployment rings to control rollout velocity.
- WSUS / Configuration Manager: Sync with Product=Windows 11 and Classification=Security Updates.
- Manual/air-gapped: Download the .msu from the Microsoft Update Catalog and install with DISM:
DISM /Online /Add-Package /PackagePath:c:\packages\Windows11.0-KB5063878-x64.msu
or PowerShell:
Add-WindowsPackage -Online -PackagePath "c:\packages\Windows11.0-KB5063878-x64.msu".
Offline updates require careful ordering of prerequisite MSU files when multiple packages are needed.

Rollback and recovery
Because the SSU is non-removable, a failed upgrade from this package isn’t easily reversed by simply uninstalling the KB. Maintain current system restore points or image backups. For pilot deployments, ensure you have a tested rollback playbook — restoring a full disk image may be the only reliable recovery path if the servicing stack corrupts.

Strengths and risks in Microsoft’s approach

Strengths
- Early, repeated notification of the certificate expiry gives organizations 10 months of lead time, much more than for typical patch rollouts. The combined SSU+LCU packaging simplifies dependency management.
- Selective delivery of AI components to only Copilot+ devices prevents unnecessary risk to the 1.4 billion other Windows machines.
- The opt-in registry key for managed Secure Boot updates provides a middle ground for enterprises that want Microsoft to handle the transition but need to approve it explicitly.

Risks and concerns
- Air-gapped and heavily customized OEM environments face a manual, error-prone certificate injection process. Without a well-documented, repeatable procedure, these devices could miss the deadline.
- The non-removable nature of the SSU adds a hard dependency. Any SSU regression could force image recovery, disrupting production workflows.
- While Microsoft reports no known issues with this build, the 24H2 update history includes sporadic driver and compatibility problems reported by users. Organizations should treat the “no known issues” statement as the starting line for their own testing, not the finish line.
- The tight integration of AI content extraction and semantic analysis engines, even when sandboxed, theoretically expands the attack surface. Long-term scrutiny of telemetry behavior and explicit admin controls will be necessary, especially in regulated industries.

Action plan for different audiences

Home users and small businesses
Ensure Windows Update is enabled and Secure Boot is on. Install KB5063878 when offered. The near-term benefit is the sign-in speed fix; the long-term benefit is staying on the expiration-safe update path. No registry tweaks are needed unless directed by a Microsoft support document specifically for your machine.

Enterprise IT administrators
1. Run a Secure Boot inventory across all PC models.
2. Contact OEMs for firmware roadmaps; apply firmware updates that pre-load the 2023 certificates before summer 2026.
3. Test KB5063878 in a controlled ring, observing not just functionality but also that Secure Boot variables remain correct after the update.
4. Decide whether to opt-in for Microsoft-managed Secure Boot updates via the registry key, and document the decision for compliance audits.
5. Schedule a second round of testing later in 2025 when Microsoft is expected to deliver early certificate payloads via Windows Update.
6. Maintain offline recovery media for critical systems in case an SSU-related failure occurs.

Firmware and device OEM partners
Continue to publish and signal UEFI firmware releases that support the 2023 certificate chain. Coordinate with Microsoft’s testing teams to validate firmware + OS update scenarios. The firmware layer is the gatekeeper — without compatible UEFI code, the OS-level certificate insertion fails silently, putting devices at risk post-June 2026.

Conclusion

KB5063878 is, on the surface, a standard August patch with a handful of fixes and AI component refreshes for Copilot+ hardware. Its real significance is as a carrier for Microsoft’s endgame warning on Secure Boot certificates. The technical changes are minor; the operational implications are massive for any organization that has not yet started planning for the 2026 expiration.

With Secure Boot certificates reaching end-of-life in just ten months, every Windows device that boots securely today must be prepared to accept the new certificate chain. The update itself installs cleanly on most systems, but it also serves as a test case for the deployment pipelines that will ultimately deliver the certificate payload. Testing a cumulative update now, coordinating with OEMs, and evaluating the opt-in registry key are not optional — they are the difference between a seamless transition and a fleet-wide boot crisis when 2026 arrives.