April 8, 2025—KB5055523 (OS Build 26100.3775)
Applies To
Windows Server 2025, all editionsRelease Date:
4/8/2025
Version:
OS Build 26100.3775
For information about Windows update terminology, see types of Windows updates and the monthly quality update types. To find an overview of Windows Server 2025, see its update history page.
Be sure to follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard.
Improvements
This security update includes quality improvements. The following summary outlines key issues addressed by the KB update after you install it. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
-
[IFilters] New! Windows Search runs IFilters in Less Privileged App Containers (LPAC). LPACs are like app containers, but they minimize permissions by default. Processes running in LPACs only access necessary resources and don’t have access to sensitive system components and data. This mitigates the damage from a compromised process.
-
[Input Method Editor (IME)] New! After you install this update, the IME toolbar will hide when apps are in full screen mode. This only occurs when the IME toolbar is active, and you type Chinese or Japanese characters,
-
[Narrator] New! Narrator scan mode now includes new functions. Skip past links (N) lets you navigate directly to text after a link, useful for long emails, articles, or wiki pages. Jump to lists (L) quickly accesses lists in web pages or documents. To use these features, turn on Narrator (Windows logo key + Ctrl + Enter), then activate scan mode with Caps lock + Spacebar. Scan mode is usually on by default on most web pages.
-
[Task Manager]
-
New! The Disconnect and Logoff dialogs now support dark mode and text scaling.
-
New! The Performance section now shows the type for each disk.
-
Fixed: When you select Automatically hide the taskbar, the search box appears as an icon rather than a search box.
-
Fixed: The Users page might cause Task Manager to stop responding when you use the keyboard.
-
-
[Authentication] This update addresses an issue affecting machine password rotation in the Identity Update Manager certificate/Public Key Cryptography for Initial Authentication (PKNIT) path. This issue occurred particularly when Kerberos was used and Credential Guard was enabled, potentially causing user authentication problems. The feature Machine Accounts in Credential Gurad, which is dependent on password rotation via Kerberos, has also been disabled, until a permanent fix is made available.
-
[Daylight Saving Time (DST)] Update for the Aysen region in Chile to support the government DST change order in 2025. For more info about DST changes, see the Daylight Saving Time & Time Zone Blog.
-
[Deployment Image Servicing and Management (DISM)] Fixed: The StartComponentCleanup task doesn't work properly. It stops at 71% and shows error 6842.
-
[JPG files] Fixed: You cannot use an API to find rotation information.
-
[Mouse] Fixed: When using the show location pointer feature by pressing the CTRL key, the circles might appear small on some displays.
-
[PcaUiArm] This update addresses an issue affecting the PcaUiArmUpdate feature, which results in unexpected behavior in specific scenarios.
-
[PowerShell] Fixed: The Get-WindowsCapability command sometimes stops responding. Then you must restart your PC.
-
[Windows Subsystem for Linux (WSL)] Fixed: It stops working and will not start up.
-
[Windows Update] Fixed: When you install an update, you might get error 0x800f0905.
-
[Windows copy] Fixed: This update addresses a memory leak that may occur during Windows copy operations.
-
[OS Security] After installing this update or a later Windows update, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is enabled on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users. For more information, see CVE-2025-21204.
If you installed earlier updates, your device downloads and installs only the new updates contained in this package.
For more information about security vulnerabilities, see Security Update Guide and the April 2025 Security Updates.
Windows Server 2025 servicing stack update (KB5058538) - 26100.3764
This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.
Known issues in this update
Applies to: IT Amins
Symptom
Devices that have certain Citrix components installed might be unable to complete installation of the January 2025 Windows security update. This issue was observed on devices with Citrix Session Recording Agent (SRA) version 2411. The 2411 version of this application was released in December 2024. Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings. However, when restarting the device to complete the update installation, an error message with text similar to “Something didn’t go as planned. No need to worry – undoing changes” appears. The device will then revert to the Windows updates previously present on the device. This issue likely affects a limited number of organizations as version 2411 of the SRA application is a new version. Home users are not expected to be affected by this issue.
Workaround
Citrix has documented this issue, including a workaround, which can be performed prior to installing the January 2025 Windows security update. For details, see Citrix’s documentation.
Microsoft is working with Citrix to address this issue and will update this documentation once a resolution is available.
All users
We're aware of an edge case of Windows Hello issue affecting devices with specific security features enabled. After installing this update and performing a Push button reset or Reset this PC from Settings > System > Recovery and selecting Keep my Files and Local install, some users might be unable to login to their Windows services using Windows Hello facial recognition or PIN. Users might observe a Windows Hello Message saying "Something happened and your PIN isn't available. Click to set up your PIN again" or "Sorry something went wrong with face setup".
Note: This issue only affects devices where System Guard Secure Launch or Dynamic Root of Trust for Measurement (DRTM) feature is enabled after installing this update. Devices with Secure Launch or DRTM enabled prior to this update, or those with these features disabled, are not impacted by this issue.
-
To login using PIN, follow the Set my PIN prompt on the logon screen to re-enroll into Windows Hello.
-
To use Face Logon, re-enroll in Windows Hello Facial recognition go to Settings > Accounts > Sign-in options > Facial recognition (Windows Hello), and select Set up. Follow the on-screen instructions.
How to get this update
Before you install this update
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
Install this update
To install this update, use one of the following Windows and Microsoft release channels.
|
Available |
Next Step |
|||
|
|
This update downloads and installs automatically from Windows Update and Microsoft Update. |
|
Available |
Next Step |
|||
|
|
This update downloads and installs automatically from Windows Update for Business in accordance with configured policies. |
|
Available |
Next Step |
|||||||
|
|
Before you install this update To get the standalone package(s) for this update, go to the Microsoft Update Catalog. This KB contains one or more MSU files that must be installed in order. Install this update Method 1: Install all MSU files together Download all MSU files for KB5055523 from Microsoft Update Catalog and place them in the same folder (for example, C:/Packages). Use Deployment Image Servicing and Management (DISM.exe) to install the target update. DISM will use the folder specified in PackagePath to discover and install one or more prerequisite MSU files as needed. Updating Windows PC To apply this update to a running Windows PC, run the following command from an elevated Command Prompt:
Or, run the following command from an elevated Windows PowerShell prompt:
Updating Windows Installation media To apply this update to Windows Installation media, see Update Windows installation media with Dynamic Update. To add this update to a mounted image, run the following command from an elevated Command Prompt:
Or, run the following command from an elevated Windows PowerShell prompt:
Method 2: Install each MSU file individually, in order Download and install each MSU file individually either using DISM or Windows Update Standalone Installer in the following order:
|
|
Available |
Next Step |
|||
|
|
This update automatically syncs with Windows Server Update Services (WSUS) if you configure Products and Classifications as follows: Product: Microsoft Server operating system-24H2 Classification: Security Updates |
If you want to remove the LCU
To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
File Information
For a list of the files that are provided in this update, download the file information for cumulative update 5055523.
For a list of the files that are provided in the servicing stack update, download the file information for the SSU (KB5058538) - version 26100.3764.
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
