July 8, 2025—KB5062597 (Monthly Rollup)
Applies To
Windows Server 2012 R2 ESUWindows Secure Boot certificate expirationÂ
Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time. To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance. For details and preparation steps, see Windows Secure Boot certificate expiration and CA updates.
 The installation of this Extended Security Update (ESU) might fail when you try to install it on an Azure Arc-enabled device that is running Windows Server 2012 R2. For a successful installation, please make sure all Subset of endpoints for ESU only are met as described in Connected Machine agent network requirements.
Support for Windows Server 2012 R2 will end in October 2026
Windows Server 2012 R2Â reached the end of support (EOS) on October 10, 2023.Â
Extended Security Updates (ESUs) are available for purchase and will continue for three years, renewable on an annual basis, until the final date on October 13, 2026. For information about the procedure to continue receiving security updates, see KB5031043.Â
We recommend that you upgrade to a later version of Windows Server. For more information, see Overview of Windows Server upgrades.
Summary
Learn more about this cumulative security update, including improvements, any known issues, and how to get the update.
Note For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, see Description of the standard terminology that is used to describe Microsoft software updates. To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history home page.
Improvements
This security update includes fixes and quality improvements that were a part of the following update:
The following is a summary of the issues that this update addresses. The bold text within the brackets indicates the item or area of the change we are documenting.
-
[Microsoft RPC Netlogon protocol] This update includes a security hardening change to the Microsoft RPC Netlogon protocol. This change improves security by tightening access checks for a set of remote procedure call (RPC) requests. After this update is installed, Active Directory domain controllers will no longer allow anonymous clients to invoke some RPC requests through the Netlogon RPC server. These requests are typically related to domain controller location. Certain file and print service software can be affected, including Samba. If your organization uses Samba, please refer to the Samba release notes. ​​​​​​​
For more information about the resolved security vulnerabilities, please refer to the Deployments | Security Update Guide and the July 2025 Security Updates.
Known issues in this update
We are currently not aware of any issues with this update. For the most up-to-date information about known issues for Windows Server 2012 R2, please go to the Windows release health dashboard.
How to get this update
Before installing this update
To install any Windows Server 2012 R2 Monthly Rollup released on or after January 14, 2025, you must first install the latest Servicing Stack Update (SSU). If your device or offline image does not have the latest SSU installed, you cannot install this update.
Caution:Â Until you install the latest SSU, this update will not be offered to your device. To reduce your security risk, install the latest SSU as soon as possible.
-
If you use Windows Update, the latest SSU (KB5058529) will be offered to you automatically. After the latest SSU is installed, you will be able to install this update.
-
If you use the Update Catalog, you must download and install the latest SSU (KB5058529). After the latest SSU is installed, you will be able to install this update.
-
If you are a Windows Server Update Services (WSUS) administrator, you must approve SSU KB5058529 and this update KB5062597.
For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
Language packs
If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Learn about adding a language pack to Windows.
Install this update
To install this update, use one of the following release channels.
|
Available |
Next step |
|
|
This update will be downloaded and installed automatically from Windows Update. |
|
Available |
Next step |
|
|
To get the standalone package for this update, go to the Microsoft Update Catalog website. To download updates from the Update Catalog, see Steps to download updates from the Windows Update Catalog. |
|
Available |
Next step |
|
|
This update will automatically sync with Windows Server Update Services (WSUS) if you configure Products and Classifications as follows:
|
File information
A list of the files that are included in this update are provided in a CSV (Comma delimited) (*.csv) file. The file can be opened in a text editor such as Notepad or in Microsoft Excel.
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
