Microsoft Releases Windows 11 Cumulative Update 25H

Microsoft released a significant cumulative update for Windows 11 on May 12, 2026, targeting both version 25H2 and version 24H2. This update, identified as KB5089549, advances the OS Builds to 26200.8457 for 25H2 and

It bundles the latest security fixes alongside quality improvements carried over from April’s optional preview release, making it one of the more complete monthly patches in recent memory.

This update lands at a time when Windows security has been under sharp focus, particularly around how systems handle boot processes and certificate validation. A growing number of threat actors have explored weaknesses in Secure Boot configurations, making timely patching more important than ever.

The update directly responds to those concerns by addressing known vulnerabilities and hardening areas that attackers have historically targeted.

Microsoft engineers noted specific improvements designed to close gaps that surfaced after the April 2026 security update (KB5083769). One of the more notable fixes addresses a situation where devices running certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 configurations, were being forced into BitLocker Recovery after boot file updates.

Analysts at Microsoft confirmed this as a real-world issue affecting a subset of devices and moved quickly to correct it. Beyond the boot-related fix, the update also strengthens how Windows handles network discovery through the Simple Service Discovery Protocol (SSDP).

A reliability improvement prevents the SSDP service from becoming unresponsive, which could otherwise disrupt device visibility across local networks. Network communication breakdowns can open indirect doors for attackers looking to exploit unstable or poorly managed services.

The update also carries forward changes from the April 14 and April 30 preview builds, meaning users who skipped those optional releases will receive all those improvements now. Microsoft’s approach of combining the Latest Cumulative Update (LCU) and the Servicing Stack Update (SSU) into a single package makes the update process more seamless and reliable than previous cycles.

Cumulative Update for Windows 11

The headline security improvement in this update is a refinement to how Secure Boot certificates are distributed. Windows quality updates now include higher-confidence device targeting data, meaning more devices qualify to receive updated Secure Boot certificates automatically.

The rollout is controlled and phased, so certificates reach systems only after devices have shown consistent and successful update signals, which reduces the risk of pushing certificates to systems that may not be ready.

The Boot Manager servicing update is another key change worth noting. Before this fix, certain devices would drop into BitLocker Recovery unexpectedly after boot file changes, particularly on systems where TPM validation settings did not align with expected configurations.

This behavior was first reported following the April 2026 update, and KB5089549 specifically resolves it, allowing affected systems to start normally without triggering the recovery screen.

AI Component Updates and Servicing Stack

Alongside the security improvements, this release also refreshes several built-in AI components within Windows. Image Search, Content Extraction, Semantic Analysis, and the Settings Model have all been updated to version 1.2604.515.0 as part of this package.

These components power various intelligent features within the OS, and keeping them current ensures they operate with the latest accuracy improvements. The servicing stack update (KB5092762), which ships as part of this combined package, moves the servicing stack to build 26100.8456.

The servicing stack is the underlying mechanism that manages how Windows receives and installs updates, and keeping it current is critical to ensuring future patches arrive and apply correctly. Microsoft confirmed there are no known issues with this particular update at the time of release.

Users are strongly advised to allow the update to install through Windows Update as soon as it becomes available. Attempting to remove the combined SSU and LCU package using the Windows Update Standalone Installer will not work because of how the two components are bundled together. If removal is ever necessary, the correct method is to use the DISM Remove-Package command and target only the LCU portion by name.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.