Berlaku Untuk
Windows Server 2025, all editions

Tanggal Rilis:

14/10/2025

Versi:

OS Build 26100.6899

Windows Secure Boot certificate expirationImportant: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time. To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance. For details and preparation steps, see Windows Secure Boot certificate expiration and CA updates.

To learn more about Windows update terminology, see types of Windows updates and monthly quality update types. For an overview, see the update history page for Windows Server 2025.       

Stay informed! Follow @WindowsUpdate for the latest updates from the Windows Release Health Dashboard

Change date

Change description

October 22, 2025

  • Added the following improvement included in this update:[File Explorer] After installing this update, File Explorer automatically disables the preview feature for files downloaded from the internet. This change is designed to enhance security by preventing a vulnerability when users preview potentially unsafe files. For details, including steps to unblock files, see File Explorer automatically disables the preview feature for files downloaded from the internet.​​​​​​​

October 10, 2025

  • Added the following new improvement included in this update:[Cryptography] This update enforces a security hardening improvement by requiring use of Key Storage Provider (KSP) instead of Cryptographic Service Provider {CSP) for RSA-based smart card certificates. If you experience problems with smart card authentication as a result of this design change, see the Windows Release Health site for resolution steps. For additional details, see CVE-2024-30098.

Improvements

This security update contains fixes and quality improvements from KB5065426 (released September 9, 2025) and KB5068221 (released September 22, 2025). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change. ​​​​

  • [App defaults]

    • New!  ​​We are rolling out some small changes in the European Economic Area (EEA) region for default browsers through the Set default button in Settings > Apps > Default apps:

      • Additional file and link types will be set for the new default browser, if it registers them.

      • The new default browser will be pinned to the Taskbar and Start menu unless you choose not to pin it by clearing the checkboxes.

      • There is now a separate one-click button for browsers to change your .pdf default, if the browser registers for the .pdf file type.

  • [Narrator]

    • New!  The Screen Curtain feature in Narrator helps protect your privacy and improve focus by blacking out the screen while Narrator reads content aloud. This is especially helpful in public or shared spaces, where you can work with sensitive information without others seeing your screen. To turn on Narrator, press Ctrl Windows + Enter. Then press Caps Lock + Ctrl + C to turn on Screen Curtain. While it’s on, you can use Narrator as usual with the screen hidden. Press Caps Lock + Ctrl + C again to turn it off.

    • New!  Narrator makes it easier to discover and learn about its features directly within the experience. Whether you're new or exploring advanced options, Narrator will guide you through the latest updates using a series of steps and prompts that explain each new feature and change.

  • [Settings] 

    • New!  The country or region selected during device setup now appears under Settings > Time & language > Language & region.

    • Fixed: The storage card in Settings System About shows an incorrect or unreadable character instead of the proper disk size.

  • [Taskbar & System Tray] 

    • New!  In addition to the new grouping of the Accessibility menu in Quick settings, there are text descriptions for the assistive technologies like Narrator, Voice access, and more for easier identification and learning.

    • New!  Adjusted the indicator (pill) under taskbar apps to make it wider and more visible.​​​​​​​

    • Fixed: WIN + CTRL Number doesn't work anymore for switching windows of an open app in the taskbar.​​​​​​​

  • [Windows Share]

    • ​​​​​​​New! When you share links or web content using the Windows share window, you'll see a visual preview for that content.

    • New!  In the Windows share window, you can select a compression level—High, Medium, or Low Quality—when editing and sharing images, instead of selecting from a 0–100 scale.

  • [Color] Improved: Adjusted the location of the intensity and color boost sliders under Settings > Accessibility > Color Filters, so the color previews at the top of the page remain visible while adjusting the sliders. 

  • [File Explorer]

    • Improved: Performance has been enhanced when extracting archive files - this will particularly help in the case of copy pasting large numbers of files out of large 7z or .rar archives.

    • New! After installing this update, File Explorer automatically disables the preview feature for files downloaded from the internet. This change is designed to enhance security by preventing a vulnerability when users preview potentially unsafe files. For details, including steps to unblock files, see File Explorer automatically disables the preview feature for files downloaded from the internet.

  • [Graphics]

    • Improved: Made underlying changes to enhance display related user experiences, including reducing screen flashing during certain display configuration transitions and eliminating unnecessary display resets that occurred in some cases​​​​​​​.

    • Fixed: Some displays might be unexpectedly green.

    • Fixed: If User Account Control (UAC) is set to Always Notify and the button under Settings > System > Display color calibration is selected for your display and canceled, Settings will stop responding.

  • [Input] Fixed: Typing in Japanese with the touch keyboard might stop working after switching to typing with an English keyboard and then switching back.

  • [Language] Fixed: After you install Windows Server 2025, you might see garbled or unreadable text in some feature names and descriptions in the Add Roles and Features wizard in Server Manager. This issue affects the Windows Admin Center Setup and Network ATC (Automatic Traffic Control) features in the Add Roles and Features wizard.

  • [MSFTEdit.dll] Fixed: Some apps like Sticky Notes and dxdiag might stop responding when the display language is set to Arabic or Hebrew display.

  • [Networking (known issue)]​​​​​​​ Fixed: This update addresses an issue where you might not be able to connect to shared files and folders if you're using the Server Message Block (SMB) v1 protocol on NetBIOS over TCP/IP NetBIOS (NetBT). This can happen after installing update KB5065426.

  • [Quick Settings] Fixed: The top three buttons in the top row don’t respond when selecting to enable or disable them.

  • [Performance] Fixed: This update addresses an issue to maintain efficiency of Storage Spaces Direct (S2D). When running complex software defined data center (SDDC) related workflows, it’s possible the system might become unresponsive.

  • [Printing] Fixed: Printed lines might be unexpectedly thicker than expected.

  • [Scripting] Fixed: Running a script on a remote Server Message Block (SMB) share might take an unexpectedly long time if the share is hosted on an older Windows Server version like Windows Server 2019.

  • [Storage optimization] Fixed: An issue that prevented unused language packs and Feature on Demand packages from being fully removed, which led to unnecessary storage use and longer Windows Update installation times.

  • [Windows Search]​​​​​​​

  • This update addresses an issue that could cause Windows Search to successfully load very slowly, taking over 10 seconds to load before you can use it.

  • Fixed: This update enhances the reliability of Windows Search and resolves an issue that prevented users from typing in Windows Search in some cases.Note: These fixes don't address an issue that might prevent Search from loading at all.

  • [Windowing] 

    • ​​​​​​​Fixed: When you press ALT + Tab to switch out of a full screen app, other windows like Windows Terminal might stop responding.

    • Fixed: An underlying issue might lead to unexpected changes to window size and position after sleep and resume on some devices.

    • Fixed: Explorer.exe might stop working unexpectedly when a window is dragged, if window snapping is enabled.

  • [Compatibility] This update removes the ltmdm64.sys driver. Fax modem hardware dependent on this specific driver will no longer work in Windows.

  • [Cryptography] This update enforces a security hardening improvement by requiring use of Key Storage Provider (KSP) instead of Cryptographic Service Provider {CSP) for RSA-based smart card certificates. If you experience problems with smart card authentication as a result of this design change, see the Windows Release Health site for resolution steps.  For additional details, see CVE-2024-30098.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, please refer to the Security Update Guide and the October 2025 Security Updates.

Windows Server 2025 servicing stack update (KB5067360) - 26100.6893

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Symptoms

Active Directory domain controllers (DC) running on Windows Server 2025 and also running the schema master Flexible Single Master Operation (FSMO) role, will allow duplicate entries in attributes of schema objects. Commonly affected attributes include ​​​​​​​auxiliaryClass, possSuperiors, mayContain with values such as msExchBaseClassmsExchContainer,​​​​​​​ and msExchVirtualDirectoryFlags.​​​​​​​

When this occurs, Active Directory replication fails with a schema mismatch error, such as error 8418: The replication operation failed because of a schema mismatch between the servers involved." 

This issue can be observed when running Exchange Server setup forestprep and the schema master role for Active Directory is running Windows Server 2025. This breaks replication in the entire Active Directory enterprise environment because the schema across domain controllers is now inconsistent.

Note: This issue appears to have existed since the initial release of Windows Server 2025, but recent Exchange Server cumulative updates (for Exchange Server SE) have exposed it.

Workaround

To work around the issue, manually remove the duplicate entries in the AD schema. If you would like help in generating a script to help remove the duplicate entries, contact Microsoft’s Support for business.

The issue is under investigation, and additional information will be shared as soon as it becomes available.

​​​​​​​Symptoms

After installing September 2025 security update (KB5065426), applications that use the Active Directory directory synchronization (DirSync) control for on-premises Active Directory Domain Services (AD DS), such as when using Microsoft Entra Connect Sync, can result in incomplete synchronization of large AD security groups exceeding 10,000 members.

Workaround

This issue can be mitigated using Known Issue Rollback (KIR) for enterprise-managed devices managed by IT departments that have installed the affected update and encountered this issue. IT administrators can resolve this issue by installing and configuring the special Group Policy listed below. 

Group Policy downloads with Group Policy name:  

Download for Windows 11, Versions 24H2 and 25H2 and Windows Server 2025 — Windows 11 24H2, Windows 11 25H2 and Windows Server 2025 KB5066835 251016_21401 Known Issue Rollback

The special Group Policy can be found in Computer Configuration > Administrative Templates > Windows 11 24H2, Windows 11 25H2 and Windows Server 2025 KB5066835 251016_21401 Known Issue Rollback. For information on deploying and configuring these special Group Policy, see How to use Group Policy to deploy a Known Issue Rollback

Important: You will need to install and configure the Group Policy for Windows Server 2025. Then restart Windows Server 2025 to apply the group policy setting. (Windows 11 is out of scope of this notification and guidance.)

Alternatively, affected customers can apply the following registry key as a workaround to disable the feature change.

Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. For more information, see Windows registry for advanced users.

​​​​​​​Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides

Name: 2362988687

Type: REG_DWORD

Value: 0

​​​​​​​The issue is under investigation, and additional information will be shared as soon as it becomes available.

Symptoms

After installing October 2025 security update (KB5066835), USB devices, such as keyboards and mice, do not function in the Windows Recovery Environment (WinRE). This issue prevents navigation of any of the recovery options within WinRE. Note that the USB keyboard and mouse continue to work normally within the Windows operating system.

Workaround

This issue is addressed in KB5070773.

How to get this update

Before you install this update

​​​​​​​Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Available

Next Step

Included

This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File Information

For a list of the files provided in this update, download the file information for cumulative update 5066835

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5067630) - version 26100.6893

Facebook LinkedIn Email
BERLANGGANAN FEED RSS

Perlu bantuan lainnya?

Ingin opsi lainnya?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center