Berlaku Untuk
Windows Server 2025, all editions

Tanggal Rilis:

08/04/2025

Versi:

OS Build 26100.3775

For information about Windows update terminology, see types of Windows updates and the monthly quality update types. To find an overview of Windows Server 2025, see its update history page.       

Be sure to follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard.     

Change date

Change description

September 30, 2025

Update: The fix is included in the April 2025 security update (KB5055523).[Performance] Fixed: After installing the Windows security update (KB5051987), released February 11, 2025, and later updates, on Windows Server 2025 devices, the SQL Server Launchpad service might not start if SQL Server Machine Learning Services is installed.

May 9, 2025

Update: The fix is included in the April 2025 security update (KB5055523).[Kerberos Authentication] Change of behavior: Adds protections for a vulnerability which occurs when a certificate authority is part of the Windows root store but not the NTAuth store. This change enabled by default might cause Event ID: 45 events to be logged on the domain controller. For more information, see KB5057784 and CVE-2025-26647.

Improvements

This security update includes quality improvements. The following summary outlines key issues addressed by the KB update after you install it. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

  • [IFilters]New! Windows Search runs IFilters in Less Privileged App Containers (LPAC). LPACs are like app containers, but they minimize permissions by default. Processes running in LPACs only access necessary resources and don’t have access to sensitive system components and data. This mitigates the damage from a compromised process.

  • [Input Method Editor (IME)] New! After you install this update, the IME toolbar will hide when apps are in full screen mode. This only occurs when the IME toolbar is active, and you type Chinese or Japanese characters,

  • [Narrator] New! Narrator scan mode now includes new functions. Skip past links (N) lets you navigate directly to text after a link, useful for long emails, articles, or wiki pages. Jump to lists (L) quickly accesses lists in web pages or documents. To use these features, turn on Narrator (Windows logo key + Ctrl + Enter), then activate scan mode with Caps lock + Spacebar. Scan mode is usually on by default on most web pages.

  • [Task Manager] 

    • New! The Disconnect and Logoff dialogs now support dark mode and text scaling.

    • New!The Performance section now shows the type for each disk.

    • Fixed: When you select Automatically hide the taskbar, the search box appears as an icon rather than a search box.

    • Fixed: The Users page might cause Task Manager to stop responding when you use the keyboard. ​​​​​​​

  • [Authentication] This update addresses an issue affecting machine password rotation in the Identity Update Manager certificate/Public Key Cryptography for Initial Authentication (PKNIT) path. This issue occurred particularly when Kerberos was used and Credential Guard was enabled, potentially causing user authentication problems. The feature Machine Accounts in Credential Guard, which is dependent on password rotation via Kerberos, has also been disabled, until a permanent fix is made available.

  • [Daylight Saving Time (DST)] Update for the Aysen region in Chile to support the government DST change order in 2025. For more info about DST changes, see the Daylight Saving Time & Time Zone Blog.

  • [Deployment Image Servicing and Management (DISM)] Fixed: The StartComponentCleanup task doesn't work properly. It stops at 71% and shows error 6842.

  • [JPG files] Fixed: You cannot use an API to find rotation information.

  • [Performance] Fixed: After installing the Windows security update (KB5051987), released February 11, 2025, and later updates, on Windows Server 2025 devices, the SQL Server Launchpad service might not start if SQL Server Machine Learning Services is installed.

  • [PowerShell] Fixed: The Get-WindowsCapability command sometimes stops responding. Then you must restart your PC. ​​​​​​​

  • [Remote Desktop]  Fixed: This update addresses an issue where Remote Desktop sessions were freezing shortly after connection. With this issue, mouse and keyboard input became unresponsive within the session, requiring you to disconnect and reconnect.

  • [Windows Subsystem for Linux (WSL)] Fixed: It stops working and will not start up.

  • [Windows Update] Fixed: When you install an update, you might get error 0x800f0905.

  • [Windows copy] Fixed: This update addresses a memory leak that might occur during Windows copy operations.

  • [OS Security] After installing this update or a later Windows update, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is enabled on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users. For more information, see CVE-2025-21204.

  • [Kerberos Authentication] Change of behavior: Adds protections for a vulnerability which occurs when a certificate authority is part of the Windows root store but not the NTAuth store. This change enabled by default might cause Event ID: 45 events to be logged on the domain controller. For more information, see KB5057784 and CVE-2025-26647.

  • [Windows Hello] After installing this update or a later Windows update, for enhanced security, Windows Hello facial recognition requires color cameras to see a visible face when signing in. For more information, see CVE-2025-26644.

​​​​​​​​​​​​​​If you installed earlier updates, your device downloads and installs only the new updates contained in this package.

For more information about security vulnerabilities, see Security Update Guide and the April 2025 Security Updates.

Windows Server 2025 servicing stack update (KB5058538) - 26100.3764

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Symptoms

Devices that have certain Citrix components installed might be unable to complete installation of the January 2025 Windows security update. This issue was observed on devices with Citrix Session Recording Agent (SRA) version 2411. The 2411 version of this application was released in December 2024.   Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings. However, when restarting the device to complete the update installation, an error message with text similar to “Something didn’t go as planned. No need to worry – undoing changes” appears. The device will then revert to the Windows updates previously present on the device.    This issue likely affects a limited number of organizations as version 2411 of the SRA application is a new version. Home users are not expected to be affected by this issue. 

Workaround

The issue has been resolved in Citrix Session Recording Agent version 2503, released on April 28, 2025, and newer versions.

For details, see the documentation provided by Citrix at "Microsoft's January Security Update Fails/Reverts on a machine with 2411 Session Recording Agent".

Symptoms

After installing the February 2025 Security update (KB5051987), released February 11, 2025, and later updates, on Windows Server 2025 devices, you might experience Remote Desktop sessions freezing shortly after connection. When this issue occurs, mouse and keyboard input become unresponsive within the session, requiring users to disconnect and reconnect

Workaround

The resolution for this issue will be available in a future Windows update for Windows Server 2025.

​​​​​​​Symptoms

Note: If you're unable to sign in using Windows Hello facial recognition in low light or with a covered camera lens after installing this update, this is a design change for enhanced security, and unrelated to the known issue listed below. See the Improvements section for details. ​​​​​​​

The following issue only affects devices where the System Guard Secure Launch or Dynamic Root of Trust for Measurement (DRTM) feature is enabled after installing this update. Devices with Secure Launch or DRTM enabled prior to this update, or those with these features disabled, are not impacted by this issue.

We're aware of an issue affecting Windows Hello issue on devices with specific security features enabled. After installing this update and performing a Push button reset or Reset this PC from Settings > System > Recovery and selecting Keep my Files and Local install, some users might be unable to login to their Windows services using Windows Hello facial recognition or PIN. Users might observe a Windows Hello Message saying "Something happened and your PIN isn't available. Click to set up your PIN again" or "Sorry something went wrong with face setup".

Workaround

This issue is addressed in KB5058411.

Symptoms

Active Directory domain controllers (DC) running on Windows Server 2025 and also running the schema master Flexible Single Master Operation (FSMO) role, will allow duplicate entries in attributes of schema objects. Commonly affected attributes include ​​​​​​​auxiliaryClass, possSuperiors, mayContain with values such as msExchBaseClassmsExchContainer,​​​​​​​ and msExchVirtualDirectoryFlags.​​​​​​​

When this occurs, Active Directory replication fails with a schema mismatch error, such as error 8418: The replication operation failed because of a schema mismatch between the servers involved." 

This issue can be observed when running Exchange Server setup forestprep and the schema master role for Active Directory is running Windows Server 2025. This breaks replication in the entire Active Directory enterprise environment because the schema across domain controllers is now inconsistent.

Note: This issue appears to have existed since the initial release of Windows Server 2025, but recent Exchange Server cumulative updates (for Exchange Server SE) have exposed it.

Workaround

To work around the issue, manually remove the duplicate entries in the AD schema. If you would like help in generating a script to help remove the duplicate entries, contact Microsoft’s Support for business.

The issue is under investigation, and additional information will be shared as soon as it becomes available.

How to get this update

Before you install this update

Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Available

Next Step

Included

This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File Information

For a list of the files that are provided in this update, download the file information for cumulative update 5055523

For a list of the files that are provided in the servicing stack update, download the file information for the SSU (KB5058538) - version 26100.3764

Perlu bantuan lainnya?

Ingin opsi lainnya?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.