August 12, 2025—KB5063878 (OS Build 26100.4946)
Applies To
Release Date:
8/12/2025
Version:
OS Build 26100.4946
Windows Secure Boot certificate expirationImportant: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time. To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance. For details and preparation steps, see Windows Secure Boot certificate expiration and CA updates.
​​​​​​​
To learn more about Windows update terminology, see types of Windows updates and monthly quality update types. For an overview, see the update history page for Windows 11, version 24H2.Â
Stay informed! Follow @WindowsUpdate for the latest updates from the Windows release health dashboard. Â
|
Windows Updates do not include updates for Microsoft Store apps. If you're an enterprise user, see Microsoft Store apps - Configuration Manager. If you're an consumer user, see Get updates for apps and games in Microsoft Store. |
Highlights
-
This update addresses security issues for your Windows operating system.Â
 Improvements
This security update contains fixes and quality improvements from KB5062660 (released July 22, 2025). The following summary outlines key issues addressed by the KB update after you install it. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
-
[Authentication] Fixed:Â This update addresses an issue that caused delays during sign-in on new devices. The delay was due to certain preinstalled packages.
​​​​​​​If you installed earlier updates, your device downloads and installs only the new updates contained in this package.
For more information about security vulnerabilities, please refer to the Security Update Guide website and the August 2025 Security Updates.
AI Components
This release updates the following AI components:
|
AI Component |
Version |
|
Image Search |
1.2507.797.0 |
|
Content Extraction |
1.2507.797.0 |
|
Semantic Analysis |
1.2507.797.0 |
|
Settings Model |
1.2507.797.0 |
Windows 11Â servicing stack update (KB5065381)- 26100.4933
This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.
Known issues in this update
Symptoms
After installing the July 2025 Windows non-security preview update (KB5062600) or a later update, including the August 2025 Windows security update, you might see the following error in Event Viewer related to CertificateServicesClient (CertEnroll):
The "Microsoft Pluton Cryptographic Provider" provider was not loaded because initialization failed.
This event appears with Error ID 57 and is logged every time the device restarts. It does not indicate a problem with any active Windows component. The event is related to a feature that is currently in development.
There is no impact to Windows functionality, and no action is required.
Workaround
This issue is addressed in KB5064081.
Symptoms
The August 2025 security update (KB5063878) might fail to install with error code 0x80240069 when deployed through Windows Server Update Services (WSUS). WSUS enables servers with the WSUS role to defer, selectively approve, and schedule updates for specific devices or groups across an organization.
This issue is unlikely to affect home users, as WSUS is intended for use in business and enterprise environments.
Workaround
The issue affecting the Windows Update service for devices managed through Windows Server Update Services (WSUS) has been resolved. If you experienced this problem, refresh, and re-sync with WSUS to install this update.
A Group Policy had previously been released using Known Issue Rollback (KIR) to work around this issue. If you installed the special Group Policy, you could find it in Group Policy Management Editor under:Â Computer Configuration > Administrative Templates > Windows 11 24H2 and Windows Server 2025Â KB5063878 250814_00551 Known Issue Rollback
Organizations no longer need to install and configure this Group Policy to address this issue.
Symptoms
After installing the August 2025 Windows security update (KB5063878), you might experience delays or uneven audio and video performance when using Network Device Interface (NDI) to stream or transfer feeds between PCs.
This issue affects streaming apps such as OBS Studio (Open Broadcaster Software) and NDI Tools, especially when Display Capture is enabled on the source PC. The problem can even occur under low-bandwidth conditions.
Workaround
To work around the issue, NDI recommends manually changing the NDI Receive Mode to use TCP or UDP instead of RUDP. For steps to do this, see the NDI support site: Traffic Drops After Windows Update.
The issue is under investigation, and additional information will be shared as soon as it becomes available.
Symptoms
A security improvement was included in the August 2025 Windows security update and later updates to enforce the requirement that User Account Control (UAC) prompt for administrator credentials when performing Windows Installer (MSI) repair and related operations. This improvement addressed security vulnerability CVE-2025-50173.
After installing the update, standard users might see a User Account Control (UAC) prompt in several scenarios.Â
-
Running MSI repair commands (such as msiexec /fu).
-
Opening Autodesk apps, including some versions of AutoCAD, Civil 3D and Inventor CAM, or when installing an MSI file after a user signs into the app for the first time.
-
Installing apps that configure per user.
-
Running Windows Installer during Active Setup.
-
Deploying packages through Manager Configuration Manager (ConfigMgr) that rely on user-specific "advertising" configurations.
-
Enabling Secure Desktop.
If a standard user runs an app that initiates an MSI repair operation without displaying UI, it will fail with an error message. For example, installing and running Office Professional Plus 2010 as a standard user will fail with Error 1730 during the configuration process.
Workaround
The following workarounds are available:
-
​​​​​​​Run the app as an administrator (right-click the app from Start or Search, then select Run as administrator).
-
If standard users can’t run apps as administrators, IT admins can apply a special Group Policy using Known Issue Rollback (KIR) to fix the issue on Windows Server 2025, Windows Server 2022, Windows 11 (versions 22H2, 23H2, 24H2), and Windows 10 (versions 21H2, 22H2). To apply this fix, contact Microsoft Support for business. Avoid using other workarounds like disabling related features.
We are working to address this issue by allowing IT admins to permit specific apps to perform MSI repair operations without UAC prompts. This improvement will be released in a future Windows update, and details will be provided as they become available.
How to get this update
Before you install this update
Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.Â
Install this update
To install this update, use one of the following Windows and Microsoft release channels.
|
Available |
Next Step |
 |
This update downloads and installs automatically from Windows Update and Microsoft Update. |
|
Available |
Next Step |
|
|
This update downloads and installs automatically from Windows Update for Business in accordance with configured policies. |
|
Available |
Next Step |
||||
|
Yes 1 |
Before you install this update To get the standalone package(s) for this update, go to the Microsoft Update Catalog website. This KB contains one or more MSU files that require installation in a specific order. Install this update Method 1: Install all MSU files together Download all MSU files for KB5063878 from Microsoft Update Catalog and place them in the same folder (for example, C:/Packages). Use Deployment Image Servicing and Management (DISM.exe) to install the target update. DISM will use the folder specified in PackagePath to discover and install one or more prerequisite MSU files as needed. Updating Windows PC To apply this update to a running Windows PC, run the following command from an elevated Command Prompt:
Or, run the following command from an elevated Windows PowerShell prompt:
Or use Windows Update Standalone Installer to install the target update. Updating Windows Installation media To apply this update to Windows Installation media, see Update Windows installation media with Dynamic Update. Note: When downloading other Dynamic Update packages, ensure they match the same month as this KB. If the SafeOS Dynamic Update or Setup Dynamic Update is not available for the same month as this KB, use the most recently published version of each. To add this update to a mounted image, run the following command from an elevated Command Prompt:
Or, run the following command from an elevated Windows PowerShell prompt:
Method 2: Install each MSU file individually, in order Download and install each MSU file individually either using DISM or Windows Update Standalone Installer in the following order:
|
1 This latest cumulative update includes updates for AI components. Even though the AI component updates are included in the update, the AI components are only applicable to Windows Copilot+ PCs and will not install on Windows PC or Windows Server.
|
Available |
Next Step |
|
|
This update automatically syncs with Windows Server Update Services (WSUS) if you configure Products and Classifications as follows: Product: Windows 11 Classification: Security Updates |
If you want to remove the LCU
To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
File information
For a list of the files provided in this update, download the file information for cumulative update 5063878.Â
For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5065381) - version 26100.4933. Â
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
