The reason why it's big is because KB5089549 (build 26200.8457) is not a "normal" cumulative update—it bundles multiple months of feature rollouts, security fixes, subsystem upgrades, and Secure Boot infrastructure changes into one package.
Even if your device already had earlier previews installed, this update still contains major OS‑level components.
It includes all changes from multiple previous updates. It rolls up everything from April 14, 2026 — KB5083769 and April 30, 2026 — KB5083631 (Preview).
Secure Boot certificate infrastructure is being upgraded. This is the biggest reason for the size increase. Microsoft is preparing for the June 2026 Secure Boot certificate expiration, so the update includes new Secure Boot targeting data, a new C:\Windows\SecureBoot folder, and scripts for enterprise certificate rollout. These components are large because they include new certificate payloads, device‑targeting metadata, and boot‑path servicing logic. This is not typical for a cumulative update.
It also includes Boot Manager servicing updates. The update includes deep‑level bootloader changes to prevent BitLocker recovery loops after boot file updates. Boot‑path updates always increase package size because they require new boot binaries, updated signatures, and redundant fallback copies for safe rollback.
New features are added to 25H2. This update is not just a patch—it contains new 25H2 features, including Xbox Mode for PCs, new archive format support (uu, cpio, xar, nupkg) in File Explorer, haptic feedback support for pens/mice, redesigned voice input UI, taskbar agent tracking mechanism, FAT32 formatting limit increased to 2 TB, and driver security policy updates. Feature additions significantly increase update size because they include new binaries, updated UI assets, and new system libraries.
There's a large number of security fixes. May 2026 fixed 120 security issues, including kernel, RDP, Kerberos, and Windows Security components. Security fixes often require updated DLLs, updated system drivers, and updated policy files. All of these add weight.
Because 25H2 and 24H2 share the same base OS, both versions share the same system files so the cumulative update must include all deltas for both branches, and all shared components. This makes the package larger than a single‑branch update.
Microsoft is preparing for the 2026 Secure Boot transition. This is the first wave of updates that atage new Secure Boot certificates, add detection scripts, axpand device targeting, and update boot manager logic. These are deep system changes—closer to a mini‑feature update than a normal Patch Tuesday.
