Microsoft Releases KB5089549 for Windows 11 25H2 and 24H2 With Security Fixes and BitLocker Recovery Fix

Microsoft has released KB5089549 for Windows 11 version 25H2 and version 24H2. The cumulative update brings Windows 11 25H2 to OS Build 26200.8457 and Windows 11 24H2 to OS Build 26100.8457.

The update includes the latest May 2026 security fixes, quality improvements from earlier April releases, and a fix for a BitLocker recovery issue that affected some devices after the April 2026 security update.

KB5089549 also expands Microsoft’s Secure Boot certificate rollout work, improves SSDP reliability, updates Copilot+ PC AI components, and ships with servicing stack update KB5092762.

What KB5089549 includes

KB5089549 is the May 2026 Patch Tuesday cumulative update for Windows 11 25H2 and 24H2. It includes security fixes documented in Microsoft’s May 2026 Security Updates guide, along with improvements previously included in KB5083769 and KB5083631.

For users who skipped April’s optional preview update, this release brings those quality improvements into the standard monthly security package. This is normal for Windows cumulative updates, which bundle earlier fixes into the latest monthly release.

Microsoft says devices that already installed previous updates will download and install only the new fixes included in this package.

Update detail	Information
Update name	KB5089549
Release date	May 12, 2026
Applies to	Windows 11 version 25H2 and Windows 11 version 24H2
Windows 11 25H2 build	26200.8457
Windows 11 24H2 build	26100.8457
Servicing stack update	KB5092762, version 26100.8456
Known issues	Microsoft is not currently aware of any issues

BitLocker recovery issue gets fixed

The most important reliability fix in KB5089549 addresses a BitLocker recovery problem introduced after the April 2026 security update KB5083769.

Some devices entered BitLocker Recovery after boot file updates on systems with certain Trusted Platform Module validation settings. Microsoft specifically mentions invalid PCR7 configurations as part of the affected setup.

KB5089549 improves startup reliability after boot file updates, so affected devices should start normally instead of unexpectedly showing the BitLocker recovery screen.

Why the BitLocker fix matters

BitLocker recovery prompts can create serious disruption for users and IT teams. When a device enters recovery unexpectedly, the user needs the BitLocker recovery key before they can return to Windows.

The issue did not affect every Windows 11 system. It applied to a subset of devices with BitLocker enabled and certain TPM validation settings.

Still, the fix matters for business environments because boot changes and recovery prompts can interrupt normal work, generate help desk tickets, and slow patch adoption.

• The issue could appear after installing KB5083769.
• It involved certain TPM validation settings.
• Microsoft specifically mentions invalid PCR7 configurations.
• KB5089549 improves startup reliability after boot file updates.
• Users should still keep their BitLocker recovery key accessible.

Secure Boot certificate rollout expands

KB5089549 also includes changes tied to Secure Boot certificate updates. Microsoft says Windows quality updates now include additional high-confidence device targeting data, which increases the number of eligible devices that can automatically receive new Secure Boot certificates.

This rollout remains controlled. Devices receive the new certificates only after showing enough successful update signals. That approach reduces the chance of pushing Secure Boot changes to systems that may not be ready.

Microsoft also added a new SecureBoot folder under C:\Windows on eligible devices. The folder includes example scripts for organizations that actively manage Secure Boot certificate updates across device fleets.

Secure Boot change	What it means
Expanded device targeting	More eligible devices can receive new Secure Boot certificates automatically.
Phased rollout	Microsoft uses successful update signals before deploying certificates.
New SecureBoot folder	Eligible devices get sample scripts under C:\Windows\SecureBoot.
Enterprise use	IT teams can use the sample scripts to detect status and automate rollout.

Microsoft warns about Secure Boot certificate expiration

Microsoft continues to warn that Secure Boot certificates used by most Windows devices begin expiring in June 2026. The company says some personal and business devices may face secure boot problems if the certificates are not updated in time.

This explains why Secure Boot certificate targeting has become a recurring Windows update theme. Microsoft needs to move devices to updated certificates carefully, because boot-level changes can affect startup and recovery behavior.

For home users, the main recommendation is simple: keep Windows Update enabled. For IT teams, Microsoft recommends reviewing the Secure Boot certificate guidance and preparing devices before the expiration period begins.

Connectivity and daylight saving changes

KB5089549 also improves the reliability of Simple Service Discovery Protocol notifications. Microsoft says the change helps prevent the SSDP service from becoming unresponsive.

SSDP helps devices discover services on local networks. Reliability problems can affect device visibility, media devices, printers, smart devices, and other local network discovery scenarios.

The update also includes daylight saving time support for the 2023 DST change in the Arab Republic of Egypt.

AI components update on Copilot+ PCs

KB5089549 updates several AI components to version 1.2604.515.0. These include Image Search, Content Extraction, Semantic Analysis, and the Settings Model.

Microsoft notes that these AI component updates apply only to Windows Copilot+ PCs. They are included in the cumulative update package, but they will not install on regular Windows PCs or Windows Server.

This distinction matters because not every Windows 11 device will receive or use the AI component changes even though the update package contains them.

AI component	Updated version	Availability
Image Search	1.2604.515.0	Windows Copilot+ PCs only
Content Extraction	1.2604.515.0	Windows Copilot+ PCs only
Semantic Analysis	1.2604.515.0	Windows Copilot+ PCs only
Settings Model	1.2604.515.0	Windows Copilot+ PCs only

Servicing stack update KB5092762 is included

Microsoft includes servicing stack update KB5092762 with KB5089549. The servicing stack update moves the servicing stack to version 26100.8456.

The servicing stack is the part of Windows that installs operating system updates. A reliable servicing stack helps future Windows updates download, stage, and install correctly.

Microsoft combines the latest servicing stack update with the latest cumulative update, so users receive both through the same update package.

How users can install KB5089549

Most users will receive KB5089549 automatically through Windows Update. Business devices will receive it through Windows Update for Business based on the organization’s configured policies.

Administrators can also download the update from the Microsoft Update Catalog for x64 or Arm64 devices. Microsoft notes that catalog packages may contain multiple MSU files that require installation in the correct order.

For managed environments, the update also syncs with Windows Server Update Services when the product is set to Windows 11 and the classification is set to Security Updates.

1. Open Settings.
2. Select Windows Update.
3. Choose Check for updates.
4. Allow KB5089549 to download and install.
5. Restart the device when Windows asks for it.
6. Confirm the build number after restart if needed.

What administrators should know before removal

Microsoft recommends caution before removing security updates. If removal becomes necessary, administrators cannot use Windows Update Standalone Installer with the uninstall switch on the combined package.

The reason is that KB5089549 combines the LCU and SSU. The SSU cannot be removed after installation.

Administrators who need to remove the LCU must use the DISM Remove-Package command and target the LCU package name. Microsoft says the package name can be found by running DISM with the get-packages option.

Should you install KB5089549?

Most users should install KB5089549 through Windows Update. The release includes May 2026 security fixes, a BitLocker recovery fix, Secure Boot certificate rollout improvements, and servicing stack improvements.

For business environments, IT teams should test the update against normal deployment rings, especially on systems using BitLocker, Secure Boot management, or custom update workflows.

Microsoft lists no known issues for the update at release. However, organizations should still monitor help desk reports after deployment because boot, encryption, and certificate changes can affect devices differently depending on configuration.

FAQ