July 8, 2025—KB5062553 (OS Build 26100.4652)
Berlaku Untuk
Tanggal Rilis:
08/07/2025
Versi:
OS Build 26100.4652
Windows Secure Boot certificate expirationImportant: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time. To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance. For details and preparation steps, see Windows Secure Boot certificate expiration and CA updates.
To learn about Windows update terminology, see the pages on types of Windows updates and monthly quality update types. For an overview, see the update history page for Windows Server 2025.
Follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard.
Improvements
This security update includes improvements that were a part of update KB5060842 (released June 10, 2025). The following summary outlines key issues addressed by the KB update after you install it. Also, included are available new features. The bold text within the brackets indicates the item or area of the change. 
- 
              [Application installation] Fixed: The MsiCloseHandle API experiences prolonged execution time when handling MSI files containing a large number of files. 
- 
              [Authentication] - 
                  Fixed: Kerberos authentication stops responding in certain scenarios when RC4 is used for encryption. 
- 
                  Fixed: FIDO Cached Credential Logon might stop responding in certain cases when a device is Hybrid Domain Joined. 
- 
                  Fixed: Opening certain apps after a password change could result in an unexpected lockout if the account lockout policy is enabled. 
 
- 
                  
- 
              [Boot menu] Fixed: If an update stops responding and rolls back, it might result in an unnecessary and non-functional boot menu entry. This fix stops devices from encountering this issue in the future. If you have already encountered this issue, you can manage extra boot entries in the Boot section of System Configuration (msconfig). 
- 
              [Color profile] - 
                  Fixed: Under Settings > System > Display > Color profile, go to Color management, it might not display the expected color profile list for the selected monitor. 
- 
                  Fixed: The color profile settings might not be applied after resuming from sleep. 
 
- 
                  
- 
              [Cryptography] Fixed: This update addresses an issue that was impacting Credential Roaming, preventing certificates and keys from being roamed into Active Directory and made available on users' machines. 
- 
              [Direct 3D Ecosystem] Fixed: This update addresses an issue where certain third-party apps might stop responding on the graphics settings page. 
- 
              [File Explorer] Fixed: In some cases, the See more menu in the File Explorer command bar opens in the wrong direction. 
- 
              [General reliability] Fixed: An underlying issue might lead to your PC experiencing a bugcheck (blue screen) with PDC_WATCHDOG_TIMEOUT when resuming from sleep. 
- 
              [Graphics] Fixed: There is an issue where certain third-party apps might render the graphics settings page unresponsive. 
- 
              [Input] - 
                  Fixed: Improved ctfmon.exe reliability, by addressing a system restart which could impact typing. 
- 
                  Fixed: ctfmon.exe might restart when copying data from certain apps. 
 
- 
                  
- 
              [Local Administrator Password Solution (LAPS)] This update addresses an issue with Windows LAPS. LAPS settings would not be preserved after an in-place upgrade. 
- 
              [Network] Fixed: The description of the virtual NIC doesn't display correctly in Network Connections (ncpa.cpl), showing invalid characters. 
- 
              [OOBE] Fixed: Addresses an issue that prevents the ESP from running every time a new user logs onto the device even when configured by policy. 
- 
              [PowerShell] Fixed: This update resolves an issue where critical PowerShell modules required for device configuration weren't run under Windows Defender Application Control (WDAC) policies. 
- 
              [Remote desktop] Fixed: Remote Desktop won't use UDP, only TCP. 
- 
              [Screen orientation] Fixed: Screen might unexpectedly change orientation coming out of sleep on 2-in-1 devices. 
- 
              [Task manager] Task Manager will now calculate CPU usage differently for Processes, Performance, and Users pages. It will use standard metrics to display CPU workload consistently across all pages and align with industry standards and third-party tools. To ensure backward compatibility, an optional column named CPU Utility is available (hidden by default) on the Details tab, showing the previous CPU value from the Processes page. 
- 
              [DHCP Server (known issue] Fixed: An issue in which the DHCP Server service might intermittently stop responding and affects IP renewal for clients. 
If you installed earlier updates, your device downloads and installs only the new updates contained in this package.
For more information about security vulnerabilities, please refer to the Security Update Guide and the July 2025 Security Updates.
Windows Server 2025 servicing stack update (KB5063666) - 26100.4651
This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.
Known issues in this update
Symptoms
A small subset of Generation 2 Azure Virtual Machines (VMs) with Trusted Launch disabled, and Virtualization-Based Security (VBS) enforced via registry key might be unable to boot after installing this update.
To check if your virtual machine might be impacted:
- 
                  Check if your VM is created as “Standard”. 
- 
                  Check if VBS is enabled. Open System Information (msinfo32.exe) and confirm that Virtualization-based security is running and that the Hyper-V role is not installed in the VM. 
Workaround
This issue is addressed in KB5064489.
Symptoms
Following installation of this update, there might be issues when using the Microsoft Changjie IME (input method editor) for Traditional Chinese. Reported symptoms include:
- 
                  Inability to form or select words after typing the full composition (associate phrase window). 
- 
                  Spacebar or blank key not responding. 
- 
                  Incorrect or distorted word outputs. 
- 
                  The conversion candidate window fails to display properly. 
Workaround This issue is addressed in KB5063878.
Symptoms
Active Directory domain controllers (DC) running on Windows Server 2025 and also running the schema master Flexible Single Master Operation (FSMO) role, will allow duplicate entries in attributes of schema objects. Commonly affected attributes include auxiliaryClass, possSuperiors, mayContain with values such as msExchBaseClass, msExchContainer, and msExchVirtualDirectoryFlags.
When this occurs, Active Directory replication fails with a schema mismatch error, such as error 8418: The replication operation failed because of a schema mismatch between the servers involved."
This issue can be observed when running Exchange Server setup forestprep and the schema master role for Active Directory is running Windows Server 2025. This breaks replication in the entire Active Directory enterprise environment because the schema across domain controllers is now inconsistent.
Note: This issue appears to have existed since the initial release of Windows Server 2025, but recent Exchange Server cumulative updates (for Exchange Server SE) have exposed it.
Workaround
To work around the issue, manually remove the duplicate entries in the AD schema. If you would like help in generating a script to help remove the duplicate entries, contact Microsoft’s Support for business.
The issue is under investigation, and additional information will be shared as soon as it becomes available.
How to get this update
Before you install this update
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
Install this update
To install this update, use one of the following Windows and Microsoft release channels.
| Available | Next Step | 
|  | This update downloads and installs automatically from Windows Update and Microsoft Update. | 
| Available | Next Step | 
|  | This update downloads and installs automatically from Windows Update for Business in accordance with configured policies. | 
| Available | Next Step | ||||
| Yes 1 | Before you install this update To get the standalone package(s) for this update, go to the Microsoft Update Catalog website. This KB contains one or more MSU files that require installation in a specific order. Install this update Method 1: Install all MSU files together Download all MSU files for KB5062553 from Microsoft Update Catalog and place them in the same folder (for example, C:/Packages). Use Deployment Image Servicing and Management (DISM.exe) to install the target update. DISM will use the folder specified in PackagePath to discover and install one or more prerequisite MSU files as needed. Updating Windows PC To apply this update to a running Windows PC, run the following command from an elevated Command Prompt: 
 Or, run the following command from an elevated Windows PowerShell prompt: 
 Or use Windows Update Standalone Installer to install the target update. Updating Windows Installation media To apply this update to Windows Installation media, see Update Windows installation media with Dynamic Update. Note: When downloading other Dynamic Update packages, ensure they match the same month as this KB. If the SafeOS Dynamic Update or Setup Dynamic Update is not available for the same month as this KB, use the most recently published version of each. To add this update to a mounted image, run the following command from an elevated Command Prompt: 
 Or, run the following command from an elevated Windows PowerShell prompt: 
  Method 2: Install each MSU file individually, in order Download and install each MSU file individually either using DISM or Windows Update Standalone Installer in the following order: 
 | 
1 This latest cumulative update includes updates for AI components. Even though the AI component updates are included in the update, the AI components are only applicable to Windows Copilot+ PCs and will not install on Windows PC or Windows Server.
| Available | Next Step | 
|  | This update will automatically sync with Windows Server Update Services (WSUS) if you configure Products and Classifications as follows: Product: Microsoft Server operating system-24H2 Classification: Security Updates | 
If you want to remove the LCU
To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
File Information
For a list of the files provided in this update, download the file information for cumulative update 5062553.
For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5063666) - version 26100.4651.
 
                         
				 
				