March 11, 2025—KB5053603 (OS Build 20348.3328)
Applies To
Windows Server 2022Release Date:
3/11/2025
Version:
OS Build 20348.3328
For information about Windows update terminology, see types of Windows updates and the monthly quality update types. To find an overview of Windows Server 2022, see its update history page.
Follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard.
Improvements
This security update includes quality improvements. The following summary outlines key issues addressed by the KB update after you install it. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
-
[Daylight saving time (DST)] This update supports (DST) changes in Paraguay.
-
[Open Secure Shell (OpenSSH) (known issue)] Fixed: The service fails to start, which stops SSH connections. There is no detailed logging, and you must run the sshd.exe process manually.
-
[GB18030-2022] This update adds support for this amendment.
-
[Azure Virtual Network] Fixed: You can turn off the VNET metering feature with the following registry key.
Registry key: HKLM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet
Registry key: MeteringDisabled (DWORD type)
Data to be set: 1
If you installed earlier updates, your device downloads and installs only the new updates contained in this package.
Windows Server 2022 servicing stack update (KB5053666) - 20348.3320
This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.
Known issues in this update
Devices that have certain Citrix components installed might be unable to complete installation of the January 2025 Windows security update. This issue was observed on devices with Citrix Session Recording Agent (SRA) version 2411. The 2411 version of this application was released in December 2024. Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings. However, when restarting the device to complete the update installation, an error message with text similar to “Something didn’t go as planned. No need to worry – undoing changes” appears. The device will then revert to the Windows updates previously present on the device. This issue likely affects a limited number of organizations as version 2411 of the SRA application is a new version. Home users are not expected to be affected by this issue.
Citrix has documented this issue, including a workaround, which can be performed prior to installing the January 2025 Windows security update. For details, see Citrix’s documentation.
Microsoft is working with Citrix to address this issue and will update this documentation once a resolution is available.
The Windows Event Viewer might display an error related to SgrmBroker.exe, on devices that have installed Windows updates released January 14, 2025, or later. This error can be found under Windows Logs > System as Event 7023, with text similar to ‘The System Guard Runtime Monitor Broker service terminated with the following error: %%3489660935’.
This error is only observable if the Windows Event Viewer is monitored closely. It is otherwise silent and does not appear as a dialog box or notification.
SgrmBroker.exe refers to the System Guard Runtime Monitor Broker Service. This service was originally created for Microsoft Defender, but it has not been a part of its operation for a very long time. Although Windows updates released January 14, 2025, conflict with the initialization of this service, no impact to performance or functionality should be observed. There is no change to the security level of a device resulting from this issue. This service has already been disabled in other supported versions of Windows, and SgrmBroker.exe presently serves no purpose.
Note: There is no need to manually start this service or configure it in any way (doing so might trigger errors unnecessarily). Future Windows updates will adjust the components used by this service and SgrmBroker.exe. For this reason, please do not attempt to manually uninstall or remove this service or its components.
This issue is addressed in KB5055526.
How to get this update
Before you install this update
Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
Prerequisite for offline OS image servicing
Make sure that your image includes KB5030216 (09/12/2023) or a later LCU. If not, install it on your offline media before you install the latest update. This LCU updates the SSU version to 20348.1960. That is the minimum SSU version you must have to prevent error 0x800f0823 (CBS_E_NEW_SERVICING_STACK_REQUIRED).
Install this update
To install this update, use one of the following Windows and Microsoft release channels.
|
Available |
Next Step |
|||
|
|
This update downloads and installs automatically from Windows update and Microsoft Update. |
|
Available |
Next Step |
|||
|
|
This update downloads and installs automatically from Windows update for Business in accordance with configured policies. |
|
Available |
Next Step |
|||
|
|
To get the standalone package for this update, go to Microsoft Update Catalog. |
|
Available |
Next Step |
|||
|
|
This update automatically syncs with Windows Server Update Services (WSUS) if you configure Products and Classifications as follows: Product: Microsoft Server operating system-21H2 Classification: Security Updates |
If you want to remove the LCU
To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
File information
For a list of the files that are provided in this update, download the file information for cumulative update 5053603.
For a list of the files that are provided in the servicing stack update, download the file information for the SSU (KB5053666) - version 20348.3320.
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
