Applies ToWindows 11 Enterprise and Education, version 22H2 Windows 11 version 23H2, all editions

Release Date:

4/8/2025

Version:

OS Builds 22621.5189 and 22631.5189

For information about Windows update terminology, see types of Windows updates and the monthly quality update types. To find an overview of Windows 11, version 23H2, see its update history page.  

This month's video is ready for you on Windows 11, version 24H2. Be sure to follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard. 

Important: Windows updates don't install Microsoft Store application updates. If you are an enterprise user, see Microsoft Store apps - Configuration Manager. If you are a consumer user, see Get updates for apps and games in Microsoft Store.

Highlights

This update addresses security issues for your Windows operating system. ​​​​​​​

  • [Daylight Saving Time (DST)] Update for the Aysen region in Chile to support the government DST change order in 2025. For more info about DST changes, see the Daylight Saving Time & Time Zone Blog.

  • [OS Security] After installing this update or a later Windows update, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is enabled on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users. For more information, see CVE-2025-21204.

​​​​​​​Improvements​​​​​​​

Important: Use EKB KB5027397 to update to Windows 11, version 23H2.

This security update includes quality improvements. Key changes include:

  • This build includes all the improvements in Windows 11, version 22H2.

  • No additional issues are documented for this release.

This security update includes improvements that were part of update KB5053657(released March 25, 2025). The following summary outlines key issues addressed by the KB after you install it. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

  • This update makes miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.

If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.

For more information about security vulnerabilities, see the Security Update Guide and the April 2025 Security Update.

Windows 11 servicing stack update (KB5053665) - 22621.5120 and 22631.5120

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update​​​​​​​

Applies to: All users

Symptom

Devices that have certain Citrix components installed might be unable to complete installation of the January 2025 Windows security update. This issue was observed on devices with Citrix Session Recording Agent (SRA) version 2411. The 2411 version of this application was released in December 2024.   Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings. However, when restarting the device to complete the update installation, an error message with text similar to “Something didn’t go as planned. No need to worry – undoing changes” appears. The device will then revert to the Windows updates previously present on the device.    This issue likely affects a limited number of organizations as version 2411 of the SRA application is a new version. Home users are not expected to be affected by this issue. 

Workaround

The issue has been resolved in Citrix Session Recording Agent version 2503, released on April 28, 2025, and newer versions.

For details, see the documentation provided by Citrix at "Microsoft's January Security Update Fails/Reverts on a machine with 2411 Session Recording Agent".

Symptom

Audit Logon/Logoff events in the local policy of the Active Directory Group Policy might not show as enabled on the device even if they are enabled and working as expected. This can be observed in the Local Group Policy Editor or Local Security Policy, where local audit policies show the "Audit logon events" policy with Security Setting of "No auditing".

This issue might only manifest as a reporting inconsistency. It’s possible that logon events are correctly being audited on the device. However, the “Audit logon events” policy will reflect that this is not the case. Home users are unlikely to be affected by this issue, as logon auditing is generally only necessary in enterprise environments.

Workaround

This issue was resolved by Windows update released April 11, 2025 (KB5058919). To keep your device performing at its best, make sure you have the latest update for your device. It contains important improvements and issue resolutions.

Symptom

Devices which have installed the April Windows monthly security update, released April 8, 2025, or later (starting with KB5055528) might be unable to update to Windows 11, version 24H2 via Windows Server Update Services (WSUS). WSUS allows Servers with the WSUS role to defer, selectively approve, and schedule updates for specific devices or groups across an organization.

As part of this issue, the download of Windows 11, version 24H2, doesn't initiate or complete. Windows updates log can show error code 0x80240069, and further logs might include text similar to "Service has unexpectedly stopped". 

Home users are unlikely to experience this issue, as WSUS is designed for use across business and enterprise environments.

Workaround

This is addressed in KB5058405.

If you have an enterprise-managed device and have installed the update released May 13, 2025, KB5058405, or later, you do not need to use a Known Issue Rollback (KIR) or a special Group Policy to resolve this issue. If you are using an update released before May 13, 2025, and have this issue, your IT admin can resolve it by installing and configuring the special Group Policy.

Group Policy downloads with Group Policy name

Download for Windows 11, version 23H2 and Windows 11, version 22H2 – Windows 11 22H2 KB5055528 250426_03001 Known Issue Rollback.msi (also applicable to Windows 11, version 23H2)

The special Group Policy can be found in Computer Configuration > Administrative Templates > <Group Policy name>. For information on deploying and configuring these special Group Policy, see How to use Group Policy to deploy a Known Issue Rollback.

Applies to: All users

Symptom

There are reports of blurry or unclear CJK (Chinese, Japanese, Korean) text when displayed at 96 DPI (100% scaling) in Chromium-based browsers such as Microsoft Edge and Google Chrome. The March 2025 Preview Update introduced Noto fonts in collaboration with Google, for CJK languages as fallbacks to improve text rendering when websites or apps don’t specify appropriate fonts. The issue is due to limited pixel density at 96 DPI, which can reduce the clarity and alignment of CJK characters. Increasing the display scaling improves clarity by enhancing text rendering.

Workaround

As a temporary workaround, increase your display scaling to 125% or 150% to improve text clarity. For more information, see Change your screen resolution and layout in Windows.

We are investigating this issue and will provide more information when it is available.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Available

Next Step

Included

This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files that are provided in this update, download the file information for cumulative update 5055528.   

For a list of the files that are provided in the servicing stack update, download the file information for the SSU (KB5053665) - versions 22621.5120 and 22631.5120

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.