May 13, 2025—KB5058405 (OS Builds 22621.5335 and 22631.5335)
Applies To
Windows 11 Enterprise and Education, version 22H2 Windows 11 version 23H2, all editionsRelease Date:
5/13/2025
Version:
OS Builds 22621.5335 and 22631.5335
For information about Windows update terminology, see types of Windows updates and the monthly quality update types. To find an overview of Windows 11, version 23H2, see its update history page.
This month's video is ready for you at Windows 11, version 24H2. Be sure to follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard.
Important: Windows updates don't install Microsoft Store application updates. If you are an enterprise user, see Microsoft Store apps - Configuration Manager. If you are a consumer user, see Get updates for apps and games in Microsoft Store.
Highlights
-
This update addresses security issues for your Windows operating system.
Improvements
Important: Use EKB KB5027397 to update to Windows 11, version 23H2.
This security update includes quality improvements. Key changes include:
-
This build includes all the improvements in Windows 11, version 22H2.
-
No additional issues are documented for this release.
This security update includes improvements that were part of update KB5055629 (released April 22, 2025). The following summary outlines key issues addressed by the KB after you install it. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
-
[Secure Boot Advanced Targeting (SBAT) and Linux Extensible Firmware Interface (EFI)] This update applies improvements to SBAT for the detection of Linux systems.
-
[Windows Update] Fixed: This update addresses an issue where you might be unable to update to Windows 11, version 24H2 via WSUS. The download might not start or complete, showing error code 0x80240069 and logs with "Service has unexpectedly stopped".
If you installed earlier updates, your device downloads and installs only the new updates contained in this package.
For more information about security vulnerabilities, see the Security Update Guide and the May 2025 Security Update.
Windows 11 servicing stack update (KB5058528) - 22621.5334 and 22631.5334
This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.
Known issues in this update
Applies to: All users
Symptom
There are reports of blurry or unclear CJK (Chinese, Japanese, Korean) text when displayed at 96 DPI (100% scaling) in Chromium-based browsers such as Microsoft Edge and Google Chrome. The March 2025 Preview Update introduced Noto fonts in collaboration with Google, for CJK languages as fallbacks to improve text rendering when websites or apps don’t specify appropriate fonts. The issue is due to limited pixel density at 96 DPI, which can reduce the clarity and alignment of CJK characters. Increasing the display scaling improves clarity by enhancing text rendering.
Workaround
As a temporary workaround, increase your display scaling to 125% or 150% to improve text clarity. For more information, see Change your screen resolution and layout in Windows.
We are investigating this issue and will provide more information when it is available.
Applies to: All users
Symptom
While installing the May 2025 Windows security update, some devices might encounter the following recovery error:
Your PC/device needs to be repaired. The operating system couldn't be loaded because a required file is missing or contains errors. File: ACPI.sys Error code: 0xc0000098
This issue has been observed on a small number of physical devices, but primarily on devices running in virtual environments, including:
-
Azure Virtual Machines
-
Azure Virtual Desktop
-
On-premises virtual machines hosted on Citrix or Hyper-V
Home users of Windows using Home or Pro editions are unlikely to face this issue as virtual machines are mostly used in IT environments.
The ACPI.sys file (Advanced Configuration and Power Interface) is a critical system driver responsible for managing hardware resources and power states.
Note: There are also reports of this same error occurring with a different file name.
Workaround
This issue is addressed in KB5062170.
If you have not yet deployed the May 2025 Windows security update (KB5058405) and your IT environment includes devices running in a virtual desktop infrastructure—such as Azure Virtual Machines, Azure Virtual Desktop, and on-premises virtual machines hosted on Citrix or Hyper-V— it’s recommended to apply the out-of-band update (KB5062170) instead.
Steps to recover your device
If you experienced this issue and are unable to start Windows, try the following steps to recover your device. After you've recovered your device, install the out-of-band update (KB5062170) via the Microsoft Update Catalog.
On Recovery-enabled devices:
-
Restart Windows.
On non-Recovery enabled devices:
-
Mount the virtual hard disk (VHD) from a remote device.
-
Mount the VHD on another virtual machine (VM) or device as a data disk and then return it back to the affected VM.
-
Restart Windows in normal mode. This will revert Windows to the last successfully installed Windows update.
For Azure customers who have already applied the update and are experiencing issues, see the self-help repair steps outlined in Repair a Windows VM using Azure Virtual Machine repair commands.
How to get this update
Before you install this update
Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
Install this update
To install this update, use one of the following Windows and Microsoft release channels.
|
Available |
Next Step |
|
|
This update downloads and installs automatically from Windows Update and Microsoft Update. |
|
Available |
Next Step |
|
|
This update downloads and installs automatically from Windows Update for Business in accordance with configured policies. |
|
Available |
Next Step |
|
|
To get the standalone package for this update, go to Microsoft Update Catalog. |
|
Available |
Next Step |
|
|
This update automatically syncs with Windows Server Update Services (WSUS) if you configure Products and Classifications as follows: Product: Windows 11 Classification: Security Updates |
If you want to remove the LCU
To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.
Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.
File information
For a list of the files that are provided in this update, download the file information for cumulative update 5058405.
For a list of the files that are provided in the servicing stack update, download the file information for the SSU (KB5058528) - versions 22621.5334 and 22631.5334.
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
