On August 12, 2025, Microsoft shipped KB5063878, a combined servicing stack and cumulative update for Windows 11 24H2 that raises the operating system to build 26100.4946. While the update delivers the usual batch of security patches and a handful of quality fixes, its most urgent message isn’t about what it fixes today—it’s about what will break if administrators ignore the Secure Boot certificate expirations now on the horizon.

This Patch Tuesday release bundles a servicing stack update (SSU KB5065381, build 26100.4933) with the monthly cumulative fixes, continuing Microsoft’s push toward consolidated update packages that reduce installation failures. It also includes targeted AI component updates for Copilot+ devices, a fix for sign-in delays on new PCs, and a blunt reiteration of the looming Secure Boot certificate deadline. The certificate expiration timetable demands immediate attention, especially for managed fleets and OEM-dependent hardware.

What’s Inside KB5063878

At its core, KB5063878 is a cumulative security and quality update for all editions of Windows 11 version 24H2. After installation, your system reports OS Build 26100.4946. The package contains security mitigations, reliability improvements, and the following notable components:

  • Servicing stack refresh: The bundled SSU (KB5065381) updates the component that installs updates themselves. Once applied, SSUs cannot be uninstalled separately, so administrators must factor this into their rollback planning.
  • AI component payload for Copilot+ devices: The update includes refreshed binaries for Image Search, Content Extraction, Semantic Analysis, and Settings Model—all version 1.2507.793.0. These components only activate on qualifying Copilot+ hardware and are ignored by standard Windows 11 or Windows Server installations.
  • Sign-in delay fix: A quality improvement reduces first-logon latency on newly provisioned devices where certain package configurations previously caused delays.

Microsoft reports no known issues with this release, but the company uses the KB article to hammer home a far more consequential operational advisory: the multi-year Secure Boot certificate transition.

The Secure Boot Deadline: A Ticking Clock

The Secure Boot certificate ecosystem is about to undergo a forced refresh. Several Microsoft CA certificates issued in 2011 form the foundation of the UEFI Secure Boot trust chain on millions of devices. Those certificates begin expiring in June 2026, with a second wave in October 2026. If devices retain the legacy 2011 entries beyond their expiration dates, they may reject updates signed by the newer 2023 CA family, lose pre-boot security patches, or—in worst-case configurations—fail to boot entirely.

The certificates at the center of this transition include:

  • Microsoft Corporation KEK CA 2011 – expires June 2026, replaced by Microsoft Corporation KEK CA 2023
  • Microsoft UEFI CA 2011 and Microsoft Option ROM CA 2011 – expire October 2026, replaced by 2023 family entries in the DB
  • Windows Production PCA 2011 – expires October 2026, replaced by Windows UEFI CA 2023

This is not simply an OS update problem. Secure Boot trust anchors live in firmware and NVRAM variables (PK, KEK, DB/DBX). While OS-level updates can deliver new certificates to the EFI variables, firmware must cooperate. If an OEM fails to publish compatible firmware, the OS-level certificate updates may not fully complete, leaving devices stranded in a partially compatible state.

Microsoft plans a staged rollout: many consumer devices will receive the 2023-series certificates via Windows Update automatically. Enterprises, air-gapped systems, and specialized fleets must handle the transition manually—inventories, OEM coordination, firmware updates, and validation are all required. The June 2026 deadline is not far away for organizations that manage thousands of endpoints.

Deployment and Installation How-To

KB5063878 is available through all standard channels: Windows Update, Windows Update for Business, WSUS, and the Microsoft Update Catalog. For manual deployment, Microsoft provides specific DISM and PowerShell commands.

If downloading from the Update Catalog, note that this KB contains more than one MSU file. The official installation guidance offers two paths:

  • Method 1: Install all MSU files together – Place all downloaded MSUs in the same folder, then run:
    DISM /Online /Add-Package /PackagePath:c:\packages\ (DISM auto-discovers prerequisites)
  • Method 2: Install each MSU file individually, in order – Install windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu first, then the main KB5063878 package. This order is critical.

For online systems, equivalent PowerShell commands are:

Add-WindowsPackage -Online -PackagePath "c:\packages\Windows11.0-KB5063878-x64.msu"

For offline images, use:

DISM /Image:mountdir /Add-Package /PackagePath:Windows11.0-KB5063878-x64.msu

Administrators must remember that once the combined SSU+LCU is applied, the servicing stack cannot be undone independently. To roll back the LCU, use DISM to remove the specific package, but the SSU remains permanent. System restore points or full image backups are recommended before deployment.

AI Components: Copilot+ Only

The AI component payload is deliberately scoped to Copilot+ hardware. Versions 1.2507.793.0 of Image Search, Content Extraction, Semantic Analysis, and Settings Model are included inside the cumulative update but only activate on devices that meet Copilot+ requirements. Standard Windows 11 and Windows Server SKUs simply ignore these files.

This selective installation strategy minimizes risk to the broader installed base and avoids adding unused AI binaries to non-Copilot+ systems. For IT admins, it demands accurate hardware inventory: you must know which endpoints carry Copilot+ licensing and enablement before these features can be evaluated or governed. Non-Copilot+ devices receiving KB5063878 will still obtain all security and quality fixes; the absence of AI binaries is not an update failure.

Risks, Edge Cases, and What We Don’t Know

While Microsoft states no known issues, real-world deployments often surface environment-specific problems. The biggest risk is OEM firmware readiness. If an OEM delays or fails to publish firmware that permits 2023 CA entries, the Secure Boot transition breaks. This is an OEM coordination problem, not something a Windows update alone can fix.

Additional edge cases include:

  • Air-gapped and regulated systems: Manual certificate updates are required, which is operationally expensive at scale.
  • Dual-boot with Linux: Many Linux distributions rely on Microsoft-signed shims. If firmware refuses new 2023 certs or shim signing paths change, dual-boot configurations may experience boot regressions. Test thoroughly.
  • Telemetry and policy: Microsoft’s staged certificate delivery to consumers implies telemetry dependencies. Organizations with strict privacy constraints need to map how and when certificates are pushed before enabling automatic delivery.
  • CVE details: The KB article provides broad descriptions of security fixes but does not enumerate individual CVEs. For per-CVE triage and severity scoring, consult the Microsoft Security Update Guide directly.

Action Plan for Different Audiences

Home users and small businesses: Keep Windows Update enabled and let the update install automatically. Once OEM firmware updates are released, apply them promptly. Verify Secure Boot status with msinfo32 and note your firmware version. As always, back up critical data before major system updates.

IT administrators (SMB to enterprise): Start now. Inventory all devices by Secure Boot state, firmware age, and Copilot+ capability. Coordinate with OEMs to obtain and validate UEFI/firmware updates that support the 2023 CA entries. Pilot KB5063878 on a representative ring for 72–120 hours, monitoring boot behavior, update logs, and line-of-business application compatibility. Validate WSUS/SCCM synchronization settings (ensure “Windows 11” product and “Security Updates” classification are selected). Script offline servicing of gold images and WinRE updates. Prepare rollback procedures—system restore points, DISM package removal, and image recovery—before broad deployment. Lastly, create an exception register and compensating controls for devices that cannot be updated before the June 2026 deadline.

OEMs and firmware partners: Your firmware is the gating factor. Devices that do not receive updated firmware capable of accepting the new certificate entries will fail part of the transition. Align your release schedules with enterprise deployment windows and coordinate signals with Microsoft to ensure OS-level certificate updates can write KEK/DB entries successfully.

Conclusion

KB5063878 is more than an August cumulative update. It is a strategically timed package that delivers immediate security and quality fixes while amplifying a warning that will define enterprise IT planning for the next 10 months. The AI component updates for Copilot+ devices are a forward-looking addition, but the Secure Boot certificate expiration challenge is a hard, unyielding operational deadline. Organizations that inventory now, coordinate with OEMs, and pilot the combined SSU+LCU will be positioned to absorb the transition smoothly. Those that wait risk a preventable boot-chain crisis when the 2011 certificates finally expire. Patch today, but plan for June 2026 starting right now.