July 8, 2025—KB5062553 (OS Build 26100.4652)

Improvements

This security update includes improvements that were a part of update KB5060842 (released June 10, 2025). The following summary outlines key issues addressed by the KB update after you install it. Also, included are available new features. The bold text within the brackets indicates the item or area of the change. ​​​​​​​​​​​​​

• [Application installation] Fixed: The MsiCloseHandle API experiences prolonged execution time when handling MSI files containing a large number of files.

• [Authentication]

  • ​​​​​​​Fixed: Kerberos authentication stops responding in certain scenarios when RC4 is used for encryption.

  • Fixed: FIDO Cached Credential Logon might stop responding in certain cases when a device is Hybrid Domain Joined.

  • Fixed: Opening certain apps after a password change could result in an unexpected lockout if the account lockout policy is enabled.

• [Boot menu] Fixed: If an update stops responding and rolls back, it might result in an unnecessary and non-functional boot menu entry. This fix stops devices from encountering this issue in the future. If you have already encountered this issue, you can manage extra boot entries in the Boot section of System Configuration (msconfig).

• [Color profile]

  • Fixed: Under Settings > System > Display > Color profile, go to Color management, it might not display the expected color profile list for the selected monitor.

  • Fixed: The color profile settings might not be applied after resuming from sleep.

• [Cryptography] Fixed: This update addresses an issue that was impacting Credential Roaming, preventing certificates and keys from being roamed into Active Directory and made available on users' machines.

• [Direct 3D Ecosystem] Fixed: This update addresses an issue where certain third-party apps might stop responding on the graphics settings page.

• [File Explorer] Fixed: In some cases, the See more​​​​​​​  menu in the File Explorer command bar opens in the wrong direction.

• [General reliability] Fixed: An underlying issue might lead to your PC experiencing a bugcheck (blue screen) with PDC_WATCHDOG_TIMEOUT when resuming from sleep.

• [Graphics] Fixed: There is an issue where certain third-party apps might render the graphics settings page unresponsive.

• [Input]

  • Fixed: Improved ctfmon.exe reliability, by addressing a system restart which could impact typing.

  • Fixed: ctfmon.exe might restart when copying data from certain apps.

• [Local Administrator Password Solution (LAPS)] This update addresses an issue with Windows LAPS. LAPS settings would not be preserved after an in-place upgrade.

• [Network] Fixed: The description of the virtual NIC doesn't display correctly in Network Connections (ncpa.cpl), showing invalid characters.

• [OOBE] Fixed: Addresses an issue that prevents the ESP from running every time a new user logs onto the device even when configured by policy.

• [PowerShell] Fixed: This update resolves an issue where critical PowerShell modules required for device configuration weren't run under Windows Defender Application Control (WDAC) policies.

• [Remote desktop] Fixed: Remote Desktop won't use UDP, only TCP.

• [Screen orientation] Fixed: Screen might unexpectedly change orientation coming out of sleep on 2-in-1 devices.

• [Task manager] Task Manager will now calculate CPU usage differently for Processes, Performance, and Users pages. It will use standard metrics to display CPU workload consistently across all pages and align with industry standards and third-party tools. To ensure backward compatibility, an optional column named CPU Utility is available (hidden by default) on the Details tab, showing the previous CPU value from the Processes page.

• [DHCP Server (known issue] Fixed: An issue in which the DHCP Server service might intermittently stop responding and affects IP renewal for clients.

If you installed earlier updates, your device downloads and installs only the new updates contained in this package.

For more information about security vulnerabilities, please refer to the Security Update Guide and the July 2025 Security Updates.

Known issues in this update​​​​​​​

How to get this update

Before you install this update

​​​​​​​Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Windows UpdateBusinessCatalogServer Update Services

Available	Next Step
	This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File Information

For a list of the files provided in this update, download the file information for cumulative update 5062553. 

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5063666) - version 26100.4651.