Microsoft pushed out a preview update for Windows 11 on July 22, 2025, delivering OS Builds 22621.5699 and 22631.5699 under KB5062663. The release arrives as the clock ticks toward the expiration of Secure Boot certificates used by most Windows devices, currently set to expire beginning in June 2026. While the update bundles a string of fixes for stability, networking, and printing, its standout feature is a new anti-rollback mechanism for Secure Boot that arms administrators against firmware downgrade attacks—a move that directly supports the ongoing Secure Boot certificate refresh.
Microsoft has been seeding newer certificates to consumer and non-managed business machines for months, and this update reinforces that effort. By hardening Secure Boot with Virtualization-Based Security (VBS) anti-rollback protections, KB5062663 prevents an attacker or a flawed update from reverting a device to an older, vulnerable firmware version. For IT administrators, this means one more tool in the defense arsenal as the industry braces for the first wave of certificate expirations next year.
Locking Down Secure Boot with Anti-Rollback and VBS
The most significant security change in KB5062663 is the introduction of SKUSiPolicy, a VBS-backed anti-rollback feature that protects Secure Boot settings. Anti-rollback technology ensures that once a device moves to a newer, more secure firmware or boot policy, it cannot be rolled back to an earlier version that may contain known exploits. This is critical for defending against rootkits and bootkits that try to persist by downgrading system defenses.
Administrators can now configure these protections through the Secure Boot AvailableUpdates registry key. The update ships with OS Builds 22621.5699 and 22631.5699, meaning it applies to both the original Windows 11 22H2 (22621) and the feature-packed 22H2/23H2 (22631) branches. The registry key expands group policy management and fine-tunes how devices handle Secure Boot updates, giving enterprises granular control without relying on opaque automatic processes.
The timing is no coincidence. Microsoft’s own support documentation warns that “Secure Boot certificates used by most Windows devices are set to expire starting in June 2026,” and the company has been pushing certificate updates through monthly patches for months. KB5062663’s anti-rollback block stops anyone from intentionally or accidentally rolling back to firmware that doesn’t include the new certificates. Devices that haven’t yet received the newer certificates will still boot and operate normally, but Microsoft urges users to check the Windows Security app for their PC’s status. For IT shops, the Secure Boot Playbook for Windows clients and Windows Server provides deeper guidance.
Resilient File System Fix Prevents Backup Failures
KB5062663 also squashes a bug in the Resilient File System (ReFS) that could crash backup applications when handling large files. The issue caused system memory exhaustion, leading backup jobs to fail abruptly—a nightmare for data integrity and disaster recovery planning. With the fix, administrators who rely on ReFS for its self-healing and integrity-checking strengths can run backups without watching memory counters spike into the red. This change directly benefits enterprise environments where ReFS is paired with Storage Spaces or large-scale file servers, ensuring business continuity remains intact.
PDF Search Errors in Shared Folders Eliminated
Another long-standing irritation gets patched: users who search for PDF files in shared folders will no longer get hit with cryptic “No More Files” or “STATUS_NO_MORE_FILES” errors. These failures have been a thorn in virtual PDF printing and automated backup workflows, often requiring manual intervention or workarounds. With KB5062663, the search function returns accurate results, and PDF handling in networked environments becomes predictable. For teams that dump invoices, contracts, or scanned documents into shared drives, the fix removes a random source of friction that could quietly undermine productivity.
Faster Peripheral Wake After Hibernation
Mobile workers and anyone who relies on cellular-connected laptops will notice a tangible improvement: peripheral devices now become operational faster after a system resumes from hibernation. The update reduces the time delay that occurs when Windows 11 re-establishes cellular connectivity, a process that previously kept USB devices, docks, and accessories in limbo for several extra seconds. In real-world use, that means plugging in a headset or external drive immediately after opening the lid feels snappier—no more waiting for the system to fully wake before peripherals respond. This fix aligns with Microsoft’s push to make Windows 11 more responsive in hybrid work scenarios, where every saved second counts.
Printer Setup Gets Clearer Names via IPP Directed Discovery
Printer discovery and configuration receive a user-experience polish. When setting up printers using Internet Printing Protocol (IPP) Directed Discovery, the update now presents clearer, more distinguishable printer names. Previously, generic or truncated names caused confusion—especially in offices with multiple identical models—forcing workers to guess which printer they were connecting to. The improved naming reduces setup errors and cuts down on helpdesk tickets for “printer not found” or “wrong printer” complaints.
May 2025 Security Update Unresponsiveness Resolved
The update fixes a critical stability problem: some devices became completely unresponsive after installing the May 2025 security update. The root cause isn’t detailed, but the result was a frozen system that couldn’t be recovered without a hard reboot. For businesses that enforce rapid patching, this problem could cascade into significant downtime. KB5062663 ensures that future security updates—and presumably the same patch that caused the hang—won’t leave machines dead in the water. Given that the May release was a cumulative security update, this fix restores confidence that routine patching doesn’t carry hidden landmines.
Deployment Notes and What to Expect
KB5062663 is a preview update, meaning it’s optional and won’t install automatically through Windows Update unless a user explicitly checks for it. IT administrators can also grab it from the Microsoft Update Catalog for offline deployment. Because it’s a preview, Microsoft categorizes it as a testing release; the same fixes will roll into next month’s mandatory “Patch Tuesday” cumulative update. As always, backing up critical data before installation is advisable, and monitoring system performance post-deployment helps catch any edge-case regressions.
The Road Ahead: Secure Boot Certificate Expiration
The Secure Boot certificate expiration looms as a major inflection point. Starting June 2026, older certificates will no longer be valid, and while Microsoft says standard updates will keep installing newer certs, the deadline puts pressure on IT teams to verify that every managed device is up to date. KB5062663’s anti-rollback additions directly support this transition. The Secure Boot AvailableUpdates registry key gives admins a programmatic way to enforce the new certificates and block downgrade attempts. Combined with the existing Secure Boot playbook guidance, organizations can systematically audit their fleets now rather than scrambling next year.
For the broader Windows 11 user base, KB5062663 is a tidy housekeeping release that mends cracks in core subsystems—ReFS, networking, printing, and PDF handling—while stealthily building a stronger security posture. The May stability fix alone will be reason enough for many to install it early. As Microsoft continues to evolve Windows 11’s security baseline, updates like this one show that even incremental releases can carry substantial weight when they protect the firmware foundation that the entire OS rests on.