On August 29, 2025, Microsoft released two targeted Dynamic Update packages for Windows 11 version 24H2 and Windows Server 2025, aiming to eliminate a class of installation and recovery failures that have plagued IT teams during feature updates and image deployments. The updates—KB5065378 for Setup and KB5064097 for the Safe OS (WinRE)—are not typical cumulative patches; they are surgical hardening packages designed to be injected directly into offline installation media and recovery partitions. This release arrives as a direct response to a turbulent August 2025 servicing cycle, where WSUS delivery errors and upgrade regressions underscored the fragility of existing deployment pipelines.

What Are Dynamic Updates and Why Do They Matter?

Dynamic Updates are a long-standing but underappreciated servicing mechanism that Windows Setup invokes during in-place upgrades or media-based installations. Instead of requiring Microsoft to rebuild entire ISOs or WIMs every time a critical fix emerges, Dynamic Updates deliver refreshed setup binaries and recovery images from the update catalog. For organizations that maintain golden images or operate air-gapped environments, this capability ensures that an offline image created months ago can still incorporate reliability fixes published after the ISO was built. The two new packages address two of the most failure-prone components in the Windows deployment chain: the Setup engine itself and the Windows Recovery Environment (WinRE), sometimes called Safe OS.

WinRE is the minimal OS that runs before the full Windows boot, powering Reset this PC, Automatic Repair, cloud reinstall, and installation flows. Setup binaries, meanwhile, handle the heavy lifting during feature updates. When these components are mismatched with newer cumulative updates or driver stacks, the results can be catastrophic—failed upgrades, unbootable devices, or recovery loops. KB5065378 and KB5064097 directly refresh this narrow, high-impact surface, reducing the likelihood of such failures.

KB5065378: The Setup Dynamic Update

KB5065378 “makes improvements to Windows setup binaries or any files that setup uses for feature updates,” according to the official support article. The package replaces an earlier Setup DU (KB5062839) and includes dozens of files—Appraiser.dll, SetupPlatform binaries, MediaSetup resources, and UI helpers—many carrying August 12, 2025 timestamps, aligning them with the August cumulative update cadence. This refresh ensures that when Setup runs, it uses code that is compatible with the latest servicing stack and cumulative updates, eliminating version mismatches that can cause early installation failures.

Unlike conventional updates, KB5065378 is not offered through consumer Windows Update. IT admins must retrieve it from the Microsoft Update Catalog or synchronize it via WSUS. Once obtained, the CAB or MSU file can be injected into an offline WIM using DISM or the provided PowerShell media-refresh scripts. Microsoft emphasizes that no prerequisites are required and no restart is needed when the update is applied to an image, making it a low-disruption addition to deployment workflows.

The KB also carries a stark operational warning: Secure Boot certificate expirations begin in June 2026. The 2011-era certificate authorities will be superseded by 2023-era CAs, and devices not updated with the necessary firmware and Secure Boot trust elements may encounter pre-boot security failures during setup or recovery. While KB5065378 hardens Setup binaries, it does not replace the need for coordinated firmware updates and Secure Boot certificate management.

KB5064097: The Safe OS (WinRE) Dynamic Update

KB5064097 refreshes the Windows Recovery Environment and Safe OS components, targeting the exact files used during reset, cloud reinstall, and setup-time recovery operations. After applying the update, Microsoft expects WinRE to report version 10.0.26100.5059. This package supersedes a previous Safe OS DU (KB5063689) and is available via Windows Update, the Microsoft Update Catalog, and WSUS—though its automatic delivery to endpoints may vary based on configuration.

A patched WinRE reduces the risk of recovery flows failing when the main OS is compromised—a scenario IT teams dread. It also improves compatibility with newer drivers and firmware during pre-boot operations, including interactions with TPM and BitLocker. Because the recovery image runs independently of the main OS, injecting KB5064097 into winre.wim closes pre-boot gaps without altering running installations, making it an efficient security and reliability measure.

Verification is straightforward. Administrators can use the reagentc /info command to locate the WinRE partition, then mount winre.wim and inspect file versions with DISM, or run the Microsoft-provided GetWinReVersion.ps1 script. The support article for KB5064097 includes step-by-step validation guidance.

The August 2025 Servicing Context: Why Now?

The August 2025 Patch Tuesday cycle was notoriously rough for enterprise update management. Widespread WSUS synchronization problems caused error 0x80240069 when KB5063878 failed to install on many endpoints. Microsoft released out-of-band fixes and Known Issue Rollbacks (KIR) to stabilize channels. Against this backdrop, the new Dynamic Updates serve as a preventive hardening measure—they help ensure that future feature updates and media-based deployments do not encounter similar setup-time regressions. For IT teams that depend on WSUS or Configuration Manager, these DUs are a necessary complement to the channel reliability fixes already applied.

Secure Boot Certificate Expiration: A Ticking Clock

KB5065378’s release notes highlight a critical ecosystem change: the impending Secure Boot certificate renewal. Beginning in June 2026, the original 2011-era CAs will expire, and devices without updated firmware and certificate stores may fail pre-boot integrity checks. WinRE and Setup both interact with Secure Boot and TPM during boot and recovery flows, so this is not a distant compliance issue—it is a direct operational dependency. While the Dynamic Updates themselves do not update firmware or certificates, they are part of a broader hardening strategy. Administrators must coordinate with OEMs to deploy firmware updates that include the 2023 CAs before the cutoff, or risk widespread boot failures during imaging or recovery.

Deployment and Verification: A Practical Guide for Admins

For organizations ready to adopt these packages, Microsoft provides detailed guidance. Below is a consolidated, actionable workflow:

  • Download the packages: KB5065378 from the Update Catalog or WSUS; KB5064097 from Windows Update or the Catalog.
  • Inject into images: Use the PowerShell media-refresh script referenced on Microsoft Learn, or manually apply the updates with DISM. Sequence matters—install the Dynamic Updates before the latest cumulative update and language packs.
  • Verify WinRE version: Mount winre.wim and confirm it reports build 10.0.26100.5059. Use the GetWinReVersion.ps1 script for automation.
  • Pilot thoroughly: Test on a representative hardware mix—OEM workstations, Copilot+ PCs, and devices with vendor recovery tools. Run Reset this PC, cloud reinstall, and an in-place upgrade from the refreshed media. Monitor event logs for WinREAgent and Setup errors.
  • Coordinate firmware and Secure Boot: Verify with OEMs that firmware updates containing the 2023 Secure Boot certificates are available and deploy them alongside the refreshed images.
  • Roll out incrementally: Use WSUS or Configuration Manager rings to expand the deployment; for air-gapped media, ensure all injected images are validated before mass distribution.

Useful DISM commands:

# Mount WinRE and check a key binary version
dism /mount-image /ImageFile:"C:\Windows\System32\Recovery\Winre.wim" /Index:1 /MountDir:C:\mnt
Get-Item C:\mnt\Windows\System32\winpeshl.exe | Select-Object -ExpandProperty VersionInfo
dism /unmount-image /MountDir:C:\mnt /Discard

ReagentC info reveals the recovery partition location:

reagentc /info

Strengths and Risks: A Balanced Assessment

These Dynamic Updates are a high-value, low-friction addition to any deployment toolkit. Their strengths include:

  • Surgical scope: They target only the small set of binaries that run during setup and recovery, reducing the blast radius compared to full cumulative updates.
  • Image-first design: Built for offline injection, so frozen or air-gapped media can benefit immediately.
  • Direct response to recent issues: They harden the areas most affected by the August 2025 servicing turbulence.

However, they are not a panacea. Key limitations and risks:

  • No guarantee against all failures: Complex driver/firmware mismatches, hardware faults, and data corruption remain outside their scope. Piloting is still essential.
  • Delivery asymmetry: KB5065378 is catalog/WSUS-only, while KB5064097 may arrive automatically—confusing expectations. Admins must manage each channel intentionally.
  • Removal constraints: KB5064097 cannot be removed from an image once applied, making pre-circulation validation mandatory.
  • Secure Boot dependency: The DU packages do not address firmware or certificate updates; ignoring the 2026 deadline will still break pre-boot flows.
  • WSUS fragility: Recent WSUS delivery issues remind us that enterprise update channels are not immune to glitches; verify sync and test Known Issue Rollback artifacts if using on-prem update distribution.

Conclusion: Essential Preventive Maintenance, Not a Cure-All

KB5065378 and KB5064097 are precisely the kind of targeted, pragmatic fixes that imaging teams and IT admins should embrace. They lower the risk of upgrade failures without forcing disruptive reimage cycles, and their injection-friendly design fits neatly into modern deployment pipelines. But they are one piece of a larger operational mosaic. The looming Secure Boot certificate expiration, the need for current firmware, and reliable update channels all remain critical prerequisites. Administrators who treat these Dynamic Updates as essential preventive maintenance—rather than a silver bullet—will be best positioned to navigate the servicing challenges ahead. Test, verify, and deploy incrementally, and use these packages to harden your images well before the next feature update wave.