Note
- Windows Secure Boot certificate expiration
- Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices for the past months. Devices that haven’t received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. We will continue to install the newer certificates via Windows updates in the coming months.
- You can check your PC status on the Windows Security app. If you are an IT administrator, follow the guidance on the Secure Boot Playbook for Windows clients and Windows Server.
To learn about Windows update terminology, see the pages on types of Windows updates and monthly quality update types. For an overview, see the update history page for Windows Server 2025.
Follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard.
Change log
| Change date | Change description |
|---|---|
| June 3, 2026 | Corrected the x64 .msu update string on the Catalog tab for KB5064489 (this update) |
Improvements
This Out-of-band (OOB) update includes quality improvements. This update is cumulative and includes security fixes and improvements from the July 8, 2025, security update (KB5062553), in addition to the following:
- [Fix for Azure Virtual Machines with Trusted Launch disabled] This update addresses an issue that prevented some virtual machines (VMs) from starting when Virtualization-Based Security (VBS) was enabled. It affected VMs using version 8.0 (a non-default version) where VBS was offered by the host. In Azure, this applies to standard (non–Trusted Launch) General Enterprise (GE) VMs running on older VM SKUs. The problem was caused by a secure kernel initialization issue.
Windows 11 servicing stack update (KB5063666)- 26100.4651
This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.
Known issues in this update
Active Directory Replication
Symptoms
Active Directory domain controllers (DC) running on Windows Server 2025 and also running the schema master Flexible Single Master Operation (FSMO) role, will allow duplicate entries in attributes of schema objects. Commonly affected attributes include auxiliaryClass, possSuperiors, mayContain with values such as msExchBaseClass, msExchContainer, and msExchVirtualDirectoryFlags.
When this occurs, Active Directory replication fails with a schema mismatch error, such as error 8418: The replication operation failed because of a schema mismatch between the servers involved."
This issue can be observed when running Exchange Server setup forestprep and the schema master role for Active Directory is running Windows Server 2025. This breaks replication in the entire Active Directory enterprise environment because the schema across domain controllers is now inconsistent.
Note
This issue appears to have existed since the initial release of Windows Server 2025, but recent Exchange Server cumulative updates (for Exchange Server SE) have exposed it.
Workaround
This issue is addressed KB5068861.
How to get this update
Before you install this update
Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
Install this update
To install this update, use one of the following Windows and Microsoft release channels.
| Available | Next Step |
|---|---|
|
See other options. |
Note
- If you want to remove the LCU
- To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
- Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
File information
For a list of the files provided in this update, download the file information for cumulative update 5064489.
For a list of the files provided in the servicing stack update, download the file information for the SSU KB5063666 - version 26100.4651.