Windows 11 is once again receiving an update that, while not featuring a headline-grabbing new function, touches upon very sensitive system components. Update KB5089549, officially released yesterday, bumps Windows 11 25H2 and Windows 11 24H2 to builds 26200.8457 and 26100.8457 respectively. This update includes security patches, quality improvements, and changes inherited from the optional preview KB5083631, which are more critical than ever and arriving just in time.
In recent weeks, we’ve observed several movements concerning the boot process of the world’s most used OS, BitLocker, TPM, local security, and AI-linked features in Windows 11.
Windows 11 KB5089549, the May update brings long-awaited fixes and more
Microsoft is once again addressing multiple areas in a single cumulative update, with Secure Boot being one of the most significant. KB5089549 appears to finally resolve all issues after weeks of uncertainty. In fact, the changes can be categorized into seven key areas, some of which have been discussed in previous articles and are now being implemented as corrections or confirmations.
The first point concerns Secure Boot certificates, which have been a source of concern for months. Microsoft warns that the certificates used by most Windows devices begin to expire in June 2026. If not updated in time, some personal and business computers might experience secure boot failures. With these new certificates, Microsoft is paving the way for a gradual transition.
The second change is designed to facilitate this transition. Update KB5089549 adds more targeting data to expand the number of devices that will be able to automatically receive new Secure Boot certificates. Microsoft will not implement this all at once but through a controlled, phased rollout, only when a device shows sufficient signs of successful updates.
BitLocker back in focus, boot manager improved, SSDP advances, and AI integrated
The third point introduces the new folder C:\Windows\SecureBoot. On compatible machines, the update creates this path and includes sample scripts for IT administrators. The goal is to enable businesses to detect the update status of Secure Boot certificates and automate their deployment in Active Directory environments. A small but beneficial change for everyone.
The fourth area addresses BitLocker, which has been frequently in the news, and not always for positive reasons. Microsoft is correcting a bug where some devices could enter BitLocker recovery after boot file updates. This affected systems with certain TPM validations, including invalid PCR7 configurations, and could appear after installing the April 2026 security update, KB5083769.
The fifth point focuses on the boot manager itself. The update enhances the security of the boot process after modifying boot files, aiming to ensure the computer starts normally without prompting for BitLocker recovery – an issue that caused significant frustration for many. For anyone who has encountered that recovery key prompt, this fix is easy to understand.
Improving Windows Update, a task everyone watches
The sixth change affects SSDP, the Simple Service Discovery Protocol. Microsoft is improving the reliability of its notifications to prevent the service from becoming unresponsive. While less visible, this is related to network device discovery, common in UPnP scenarios.
The seventh and final point relates to AI components. This update KB5089549 updates image search, content extraction, semantic analysis, and the configuration model to version 1.2604.515.0. However, Microsoft is limiting this to Windows Copilot+ PCs, not all Windows 11 PCs.
The update also includes the Servicing Stack Update KB5092762, version 26100.8456, which enhances the component responsible for installing Windows updates themselves. Additionally, Microsoft indicates that there are currently no known issues with this KB, which is a bold statement, but KB5089549 has only been online for a few hours. Let’s give it time to see if Microsoft, finally, returns to a path of stability.
