Patchday: Windows Server Updates (July 8, 2025)

[German]On July 8, 2025 (second Tuesday of the month, Patchday at Microsoft), various cumulative updates were released for the supported versions of Windows Server. Below I have extracted the provided updates along with some details for these Windows Server versions (from Windows Server 2012 to 2025).

The updates listed below fix the vulnerabilities, that are relevant for Windows Server, are described in the blog post Microsoft Security Update Summary (July 8, 2025).

Updates for Windows Server 2025

A list of updates for Windows Server 2025 can be found on this Microsoft website. The cumulative update KB5062553 has been released for Windows Server 2025, which contains security patches and the following fixes:

• [Application installation] Fixed: The MsiCloseHandle API experiences prolonged execution time when handling MSI files containing a large number of files.
• [Authentication]
  • ​​​​​​​Fixed: Kerberos authentication stops responding in certain scenarios when RC4 is used for encryption.
  • Fixed: FIDO Cached Credential Logon might stop responding in certain cases when a device is Hybrid Domain Joined.
  • Fixed: Opening certain apps after a password change could result in an unexpected lockout if the account lockout policy is enabled.
• [Boot menu] Fixed: If an update stops responding and rolls back, it might result in an unnecessary and non-functional boot menu entry. This fix stops devices from encountering this issue in the future. If you have already encountered this issue, you can manage extra boot entries in the Boot section of System Configuration (msconfig).
• [Color profile]
  • Fixed: Under Settings > System > Display > Color profile, go to Color management, it might not display the expected color profile list for the selected monitor.
  • Fixed: The color profile settings might not be applied after resuming from sleep.
• [Cryptography] Fixed: This update addresses an issue that was impacting Credential Roaming, preventing certificates and keys from being roamed into Active Directory and made available on users' machines.
• [Direct 3D Ecosystem] Fixed: This update addresses an issue where certain third-party apps might stop responding on the graphics settings page.
• [File Explorer] Fixed: In some cases, the See more​​​​​​​  menu in the File Explorer command bar opens in the wrong direction.
• [General reliability] Fixed: An underlying issue might lead to your PC experiencing a bugcheck (blue screen) with PDC_WATCHDOG_TIMEOUT when resuming from sleep.
• [Graphics] Fixed: There is an issue where certain third-party apps might render the graphics settings page unresponsive.
• [Input]
  • Fixed: Improved ctfmon.exe reliability, by addressing a system restart which could impact typing.
  • Fixed: ctfmon.exe might restart when copying data from certain apps.
• [Local Administrator Password Solution (LAPS)] This update addresses an issue with Windows LAPS. LAPS settings would not be preserved after an in-place upgrade.
• [Network] Fixed: The description of the virtual NIC doesn't display correctly in Network Connections (ncpa.cpl), showing invalid characters.
• [OOBE] Fixed: Addresses an issue that prevents the ESP from running every time a new user logs onto the device even when configured by policy.
• [PowerShell] Fixed: This update resolves an issue where critical PowerShell modules required for device configuration weren't run under Windows Defender Application Control (WDAC) policies.
• [Remote desktop] Fixed: Remote Desktop won't use UDP, only TCP.
• [Screen orientation] Fixed: Screen might unexpectedly change orientation coming out of sleep on 2-in-1 devices.
• [Task manager] Task Manager will now calculate CPU usage differently for Processes, Performance, and Users pages. It will use standard metrics to display CPU workload consistently across all pages and align with industry standards and third-party tools. To ensure backward compatibility, an optional column named CPU Utility is available (hidden by default) on the Details tab, showing the previous CPU value from the Processes page.
• [DHCP Server (known issue] Fixed: An issue in which the DHCP Server service might intermittently stop responding and affects IP renewal for clients.

This update is automatically downloaded and installed by Windows Update, but is also available in the Microsoft Update Catalog and via WSUS and WUfB. The latest Windows Servicing Stack Update is integrated in the patch. Any problems caused by the update and installation requirements are listed in the support article.

Updates for Windows Server 2022/23H2

The following updates are available for Windows Server 2022 and Windows Server 23H2.

Update KB5060118 for Windows Server 23H2

A list of updates for Windows Server 23H2 can be found on this Microsoft website. The cumulative update KB5062570 has been released for Windows Server 23H2, which contains security patches and the following fixes

• [DNS Server] Fixed: This update addresses an issue where a full zone transfer cannot be completed from a Windows DNS Server to another DNS Server when Extension Mechanisms for DNS is enabled.
• [Language and character support]​​​​​​​ Fixed: An issue that affected some Chinese characters and experienced compliance issue with GB18030. These characters didn't display correctly or weren't accepted when using extended Unicode. A modern ICU-based solution now properly supports GB18030-2022 requirements.
• [Performance] Fixed: This update addresses an issue that prevented the complete removal of unused language packs and Feature on Demand packages, which previously led to unnecessary storage use and longer Windows Update installation times.
• [Security]​​​​​​​ This update upgrades the curl tool in Windows to version 8.13.0 to help protect against potential security risks, including unauthorized access to data or service disruptions.

This update is automatically downloaded and installed by Windows Update, but is also available in the Microsoft Update Catalog and via WSUS and WUfB. The latest Windows Servicing Stack Update is integrated in the patch. Any problems caused by the update (Citrix) and installation requirements are listed in the support article.

Update KB5060526 for Windows Server 2022

A list of updates for Windows Server 2022 can be found on this Microsoft website. The cumulative update KB5062572 has been released for Windows Server 2022, which contains security patches and the following fixes:

• [DHCP Server (known issue] Fixed: An issue in which the DHCP Server service might intermittently stop responding and affects IP renewal for clients.
• [Language and character support] Fixed: An issue that affected some Chinese characters and experienced compliance issue with GB18030. These characters didn't display correctly or weren't accepted when using extended Unicode. A modern ICU-based solution now properly supports GB18030-2022 requirements.
• [Performance]​​​​​​​ Fixed: This update addresses an issue that prevented the complete removal of unused language packs and Feature on Demand packages, which previously led to unnecessary storage use and longer Windows Update installation times.

This update is automatically downloaded and installed by Windows Update, but is also available in the Microsoft Update Catalog and via WSUS and WUfB. The current Windows Servicing Stack Update is integrated in the patch. Any problems caused by the update and installation requirements are listed in the support article.

Updates for Windows Server 2016/2019

A list of updates for Windows Server 2016 and 2019 can be found on this Microsoft website. I have extracted the relevant update information below.

Update KB5062557 for Windows Server 2019

Cumulative Update KB5062557 is not only available for Windows 10 2019 Enterprise LTSC etc., but also for Windows Server 2019. The update contains security fixes, improvements and bug fixes (need to switch to the Server 2019 tab view):

• [Network Security and Containers] Fixed: An issue in the CharNextW function which caused incorrect character rendering for GB18030-2022 compliance. The function has been deprecated and replaced with a modern ICU-based solution to ensure proper handling of GB18030-2022 requirements.
• [DHCP Server (known issue] Fixed: An issue in which the DHCP Server service might intermittently stop responding and affects IP renewal for clients.
• [Microsoft RPC Netlogon protocol] This update includes a security hardening change to the Microsoft RPC Netlogon protocol. This change improves security by tightening access checks for a set of remote procedure call (RPC) requests. After this update is installed, Active Directory domain controllers will no longer allow anonymous clients to invoke some RPC requests through the Netlogon RPC server. These requests are typically related to domain controller location. Certain file and print service software can be affected, including Samba. If your organization uses Samba, please refer to the Samba release notes. ​​​​​​​

The update is automatically downloaded and installed by Windows Update, but is also available in the Microsoft Update Catalog, via WSUS and WUfB. Microsoft has also updated the Service Stack Update (SSU). Please note the installation sequence described in the support article and, if applicable, the notes on further requirements and any existing problems.

Update KB5062560 for Windows Server 1607

Cumulative Update KB5062560 is not only available for Windows 10 2016 Enterprise LTSC, but also for Windows Server 2016. The update includes security fixes, bug fixes and improvements that may be listed in the support article.

[DHCP Server (known issue] Fixed: An issue in which the DHCP Server service might intermittently stop responding and affects IP renewal for clients.

The update is automatically downloaded and installed by Windows Update, but is also available in the Microsoft Update Catalog, via WSUS and WUfB. Microsoft has also updated the Service Stack Update (SSU). Please note the installation requirements described in the support article and any information on existing problems.

Updates for Windows Server 2012 / R2

Windows Server 2012/R2 will no longer be supported in October 2023 and will only receive updates with an ESU license. Please note the installation order for Windows Server that Microsoft provides in the KB articles. The installation of this extended security update (ESU) may fail if installed on an Azure Arc-enabled device.

Update KB5062597 for Windows Server 2012 R2

The update history for Windows Server 2012 R2 can be found on this Microsoft page. Update KB5062597 (Monthly Rollup for Windows Server 2012 R2) has been released for Windows Server 2012 R2 for systems with an ESU license. The update fixes various vulnerabilities and brings internal, undocumented fixes.

This update is automatically downloaded and installed by Windows Update in Windows Server 2012 R2, but is also available in the Microsoft Update Catalog and via WSUS. Details on fixes and any known problems in connection with the update are listed in the support article.

There is no security-only update for Windows Server 2012 R2.

Update KB5062592 for Windows Server 2012

The update history for Windows Server 2012 can be found on this Microsoft page. Update KB5062592 (Monthly Rollup for Windows Server 2012) has been released for Windows Server 2012 with ESU license. It contains unspecified security patches and bug fixes.

This update is available in the Microsoft Update Catalog and via WSUS. For a manual installation, the latest Servicing Stack Update (SSU) must be installed beforehand – although this SSU can no longer be uninstalled. Problems in connection with the update are listed in the KB article.

There is no security-only update for Windows Server 2012.

If in doubt, details on the above updates can be found in the respective Microsoft KB articles.

Attention: The WSUS seems to have synchronization problems since the night (July 9, 2025) – see WSUS hat Synchronisationsprobleme (9. Juli 2025).

Similar articles:
Microsoft Security Update Summary (July 8, 2025)
Patchday: Windows 10/11 Updates (July 8,  2025)
Patchday: Windows Server-Updates (July 8,  2025)
Patchday: Microsoft Office Updates (July 8, 2025)

Windows 10/11: Preview Updates June 2025
Windows 11 24H2: Azure Virtual Desktop (AVD) App Attach fails
Windows 11 24H2 June 2025 update issues: KB5060842 with wrong timestamp and Print to PDF
Windows 11 24H2: June 2025 Preview Update KB5060829 triggers Firewall Events
WSUS has synchronization problems (July 9, 2025)