Windows Secure Boot certificate expiration
Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time. To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance. For details and preparation steps, see Windows Secure Boot certificate expiration and CA updates.
Support for Windows Server 2008 will end in January 2026
Windows Server 2008 Premium Assurance will end on January 13, 2026.
Windows Server 2008 Extended Security Updates (ESU) ended on January 10, 2023. Additionally, Extended Security Updates on Azure only support ended on January 9, 2024. For more information, see Extended Security Updates for Windows Server overview.
We recommend that you upgrade to a later version of Windows Server. For more information, see Overview of Windows Server upgrades.
Summary
Learn more about this security-only update, including improvements, any known issues, and how to get the update.
Windows Server 2008
This update contains security-only improvements. The following is a summary of the key issues that this update addresses. The bold text within the brackets indicates the item or area of the change we are documenting.
-
[App compatibility (known issue)] Fixed: Addresses an issue that caused non-admin users to receive unexpected User Account Control (UAC) prompts when MSI installers perform certain custom actions. These actions might include configuration or repair operations in the foreground or background, during the initial installation of an application.
This issue could prevent non-admin users from running apps that perform MSI repairs, including Office Professional Plus 2010 and multiple applications from Autodesk (including AutoCAD). This fix reduces the scope for requiring UAC prompts for MSI repairs and enables IT admins to disable UAC prompts for specific apps by adding them to an allowlist. For more information, see Unexpected UAC prompts when running MSI repair operations after installing the August 2025 Windows security update.
-
[File Server] New! This update enables auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA. This allows customers to assess their environment and identify any potential device or software incompatibility issues before deploying the hardening measures that are already supported by SMB Server. For detailed guidance, see CVE-2025-55234 | Windows SMB Elevation of Privilege Vulnerability.
For more information about the resolved security vulnerabilities, please refer to the Deployments | Security Update Guide and the September 2025 Security Updates.
Verify that you have installed the required updates in the How to get this update section before installing this update.
For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, see Description of the standard terminology that is used to describe Microsoft software updates. To view other notes and messages for Windows Server 2008 SP2, see Windows Server 2008 SP2 update history.
Known issues in this update
Symptoms
After installing this update and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer”, and the update might show as Failed in Update History.
Workaround
This is expected in the following circumstances:
-
If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
-
If you do not have an ESU MAK add-on key installed and activated.
If you have an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, see the Obtaining Extended Security Updates for eligible Windows devices blog post. For information on the prerequisites, see the How to get this update section of this article.
For the most up-to-date information about known issues for Windows Server 2008 SP2, please go to the Windows release health dashboard.
How to get this update
Before installing this update
To install any Windows Server 2008 SP2 Security-only update released on or after January 14, 2025, you must first install the latest Servicing Stack Update (SSU). If your device or offline image does not have the latest SSU installed, you cannot install this update.
Caution: Until you install the SSU, this update will not be offered to your device. To reduce your security risk, install the SSU as soon as possible.
-
If you use Windows Update, the latest SSU (KB5056457) will be offered to you automatically. After the latest SSU is installed, you will be able to install this update.
-
If you use the Update Catalog, you must download and install the latest SSU (KB5056457). After the latest SSU is installed, you will be able to install this update.
-
If you are a Windows Server Update Services (WSUS) administrator, you must approve SSU KB5056457 and this update KB5065511.
For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
Language packs
If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Learn about adding a language pack to Windows.
Install this update
To install this update, use one of the following release channels.
|
Available |
Next step |
|
|
This update is not available from Windows Update. See the Update Catalog or Server Update Services release channel. |
|
Available |
Next step |
|
|
To get the standalone package for this update, go to the Microsoft Update Catalog website. To download updates from the Update Catalog, see Steps to download updates from the Windows Update Catalog. |
|
Available |
Next step |
|
|
This update will automatically sync with Windows Server Update Services (WSUS) if you configure Products and Classifications as follows:
|
Reminder If you are using Security-only updates, you will also need to install all previous Security-only updates and the latest cumulative update for Internet Explorer (KB5065435).
File information
A list of the files that are included in this update are provided in a CSV (Comma delimited) (*.csv) file. The file can be opened in a text editor such as Notepad or in Microsoft Excel.
