Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article lists the various security updates that are available for Azure Local.
June OS security update (KB5094125) for Azure Local
This section describes the 2606 security updates associated with OS build 26100.32995 released on June 9, 2026 (KB5094125).
For more information about Windows update terminology, see Types of Windows updates and the monthly quality update types.
Announcements and messages
This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.
Windows Secure Boot certificate expiration
Important
Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices for the past months. Devices that haven’t received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. We will continue to install the newer certificates via Windows updates in the coming months. You can check your PC status on the Windows Security app. If you are an IT administrator, follow the guidance on the Secure Boot Playbook for Windows clients and Windows Server.
Improvements
This security update contains fixes and quality improvements from KB5087539 (released May 12, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
[Boot manager servicing update (Known issue)] Fixed: This update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 (Platform Configuration Register 7) configurations. This might occur after installing the April 2026 security update (KB5082063).
[File Explorer] This update improves File Explorer search, including support for Chinese text, and UTF 8–encoded files without a byte order mark (BOM). Text now displays more clearly and consistently across search results, Content view, and tooltips.
[Reliability] This update improves reliability during user profile load by managing system resources more efficiently.
[Secure Boot]
- With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
- This update adds the LimitSecureBootRequiredServiceData Group Policy and mobile device management (MDM) setting under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When enabled, Windows limits the Secure Boot service data it sends by suppressing the event normally sent to Microsoft. This policy is included in the Windows Restricted Traffic Limited Functionality Baseline. For information about the policy, see Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services.
[Networking] Windows Server 2025 DNS Server now supports DNS over HTTPS (DoH), enabling encrypted DNS communication between the server and clients. DoH helps improve privacy and security by protecting DNS queries from being viewed and preventing unauthorized modification of DNS responses. This feature is generally available and compatible with existing DNS infrastructure and management workflows.
- Note: This support applies only to server-client communication and doesn’t support encrypted DNS communication between servers.
[Windows Update Deployment (known issue)] Fixed: This update addresses an issue in Windows Server 2025, where updates installed using the Windows Update Standalone Installer (WUSA) might fail with error code
ERROR_BAD_PATHNAME. This issue can occur when you double-click a .msu file or run WUSA from a network share that contains multiple .msu files.
If you've already installed previous updates, your device will download and install only the new updates included in this package.
For an overview of Azure Local, see What is Azure Local?
Known issues
Windows Server Update Services (WSUS) does not display error details
After you install KB5070881 or later updates, Windows Server Update Services (WSUS) doesn't display synchronization error details within its error reporting. To address the Remote Code Execution Vulnerability CVE-2025-59287, Microsoft temporarily removed this functionality.
To install
Before you install this update
Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the June 2026 Security Updates.
File information
For a list of the files provided in this update, download the file information for cumulative update 5094125.
May OS security update (KB5087539) for Azure Local
This section describes the 2605 security updates associated with OS build 26100.32860 released on May 12, 2026 (KB5087539).
For more information about Windows update terminology, see Types of Windows updates and the monthly quality update types.
Improvements
This security update includes fixes and quality improvements from KB5082063 (released April 14, 2026) and KB5091157 (released April 19, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
[Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
[Connectivity] This update improves the reliability of Simple Service Discovery Protocol (SSDP) notifications to help prevent the service from becoming unresponsive.
[Daylight saving time (DST)] This update supports the 2023 DST change for the Arab Republic of Egypt.
[Domain controllers] This update improves the performance of the Local Security Authority Subsystem Service (LSASS) on domain controllers when Microsoft Defender is enabled. It reduces CPU and memory usage during Event Tracing for Windows collection of IDL_DRSGetNCChanges events.
[Remote Desktop (known issue)] Fixed: This update addresses an issue that affects the Remote Desktop Connection security warning dialog. The dialog could render incorrectly in multimonitor scenario when the monitors had different scaling set. This problem might occur after installing the April 2026 (KB5082063) security update. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.
[Sign-In] After you install the Windows update released on or after March 10, 2026, some users might experience an issue signing in to apps with a Microsoft account. Even when the device has a working Internet connection, a "no Internet" error appears during sign in and prevents access to Microsoft services and apps such as Microsoft Teams.
If you already installed previous updates, your device downloads and installs only the new updates included in this package.
For an overview of Azure Local, see What is Azure Local?
Known issues
Windows Server Update Services (WSUS) doesn't display error details
After you install KB5070881 or later updates, Windows Server Update Services (WSUS) doesn't display synchronization error details within its error reporting. To address the Remote Code Execution Vulnerability CVE-2025-59287, Microsoft temporarily removed this functionality.
Devices with an unrecommended BitLocker Group Policy configuration might need to enter their BitLocker recovery key
Symptom
Some devices with an unrecommended BitLocker Group Policy configuration might need to enter their BitLocker recovery key on the first restart after installing this update.
This issue only affects a limited number of systems in which all of the following conditions are true. These conditions are unlikely to be found on personal devices that IT departments don't manage.
BitLocker is enabled on the OS drive.
The Group Policy
Configure TPM platform validation profile for native UEFI firmware configurationsis configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).System Information (
msinfo32.exe) reports Secure Boot State PCR7 Binding asNot Possible.The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
The device isn't already running the 2023-signed Windows Boot Manager.
In this scenario, the user only needs to enter the BitLocker recovery key once. Subsequent restarts don't trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged. For help finding your BitLocker recovery key, see the article, Find your BitLocker recovery key.
Enterprises should audit their BitLocker group policies for explicit PCR7 inclusion and check msinfo32.exe for their PCR7 binding status before installing this update. (See the Workaround section.)
Workaround
Remove the Group Policy configuration before installing the update (Recommended)
Open Group Policy Editor (
gpedit.msc) or your Group Policy Management Console.Go to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
Set
Configure TPM platform validation profile for native UEFI firmware configurationstoNot Configured.Run the following command on affected devices to propagate the policy change:
gpupdate /forceRun the following command to suspend BitLocker (where BitLocker is enabled on the C: drive):
manage-bde -protectors -disable C:Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive):
manage-bde -protectors -enable C:This command updates the BitLocker bindings to use the Windows-selected default PCR profile.
A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it's available.
To install
Before you install this update
Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the May 2026 Security Updates.
File information
For a list of the files provided in this update, download the file information for cumulative update 5087539.
April OS security update (KB5082063) for Azure Local
This section provides the 2604 security updates associated with OS build 26100.32690 released on April 14, 2026 (KB5082063).
To learn more about Windows update terminology, see Types of Windows updates and the monthly quality update types.
Improvements
This security update contains fixes and quality improvements from KB5078740 (released March 10, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
[Secure Boot]
With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
This update addresses an issue where the device might enter BitLocker Recovery after the Secure Boot updates.
[Kerberos protocol] This update changes the default DefaultDomainSupportedEncTypes value for Kerberos Key Distribution Center (KDC) operations to leverage AES-SHA1 for accounts that don't have an explicit msds-SupportedEncryptionTypes Active Directory attribute defined. For more information see, How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833.
[Authentication] This update improves how Windows uses Kerberos encryption policies during authentication. After you install this update, Windows reads the configured policy settings as expected, which helps ensure encryption behavior is applied consistently across the domain.
[Bluetooth] This update improves Bluetooth device management in Settings and Quick Settings, helping connected devices appear consistently and making them easier to add and manage.
[Graphics] This update improves color rendering when printing from Win32 desktop apps.
[Networking] This update improves reliability when Windows uses SMB compression over QUIC. After you install this update, SMB compression requests over QUIC complete more consistently, reducing the likelihood of timeouts and supporting smoother, more dependable performance.
[PowerShell] This update improves how the Set-GPPrefRegistryValue cmdlet in PowerShell imports registry preference values. The cmdlet now preserves each imported value in full, including the final character.
[Remote Desktop] This update improves protection against phishing attacks that use Remote Desktop (.rdp) files. When you open an .rdp file, Remote Desktop shows all requested connection settings before it connects, with each setting turned off by default. A one-time security warning also appears the first time you open an .rdp file on a device. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.
[Texts and Fonts] This update improves Windows fonts by adding the new Saudi Riyal currency symbol. This change helps keep text clear, accurate, and visually consistent across your Windows apps and experiences.
[Windows Deployment Services (WDS)] This update disables the "Hands-Free Deployment" feature in WDS by default and is no longer a supported feature. For more information about this change, see Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance related to CVE-2026-0386.
If you've already installed previous updates, your device will download and install only the new updates included in this package.
For an overview of Azure Local, see What is Azure Local?
Known issues
Windows Server Update Services (WSUS) doesn't display error details
After you install KB5070881 or later updates, Windows Server Update Services (WSUS) doesn't display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability CVE-2025-59287.
To install
Before you install this update
Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the April 2026 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Local.
File Information
For a list of the files provided in this update, download the file information for cumulative update 5082063.
March OS security update (KB5078740) for Azure Local
This section provides the 2603 security updates associated with OS build 26100.32522 released on March 10, 2026 (KB5078740). It also includes key notifications, announcements, change logs, and end-of-support notices.
To learn more about Windows update terminology, see Types of Windows updates and the monthly quality update types.
Improvements
This security update contains fixes and quality improvements from KB5075899 (released February 10, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
- This update makes miscellaneous security improvements to internal OS functionality.
If you've already installed previous updates, your device will download and install only the new updates included in this package.
For an overview of Azure Local, see What is Azure Local?
Known issues
Windows Server Update Services (WSUS) doesn't display error details
After you install KB5070881 or later updates, Windows Server Update Services (WSUS) doesn't display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability CVE-2025-59287.
To install
Before you install this update
Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the March 2026 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Local.
File Information
For a list of the files provided in this update, download the file information for cumulative update 5078740.
February OS security update (KB5075899) for Azure Local
This section provides the 2602 security updates associated with OS build 26100.32370 released on February 10, 2026 (KB5075899). It also includes key notifications, announcements, change logs, and end-of-support notices.
Windows Secure Boot certificate expiration
Important
The Azure Local product team is aware of the upcoming expiration of the boot certificates of Windows devices and is actively working with solution OEM partners to deliver a managed update. Upcoming solution updates will initiate the mitigation process to address this scenario.
To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.
Improvements
This security update contains fixes and quality improvements from KB5073379 (released January 13, 2026), KB5077793 (released January 17, 2026), and KB5078135 (released January 24, 2026). The following summary outlines key issues addressed by this update. Also included are available new features. The bold text within the brackets indicates the item or area of the change.
[File Explorer] Fixed: This update addresses an issue where folder renaming with desktop.ini files in File Explorer isn't work correctly. The
LocalizedResourceNamesetting is ignored, so custom folder names don't appear.[Fonts & Display] Updates the Chinese fonts to support the GB180302022A standard for character coverage and display.
[Graphics] Fixed: This update addresses an issue where certain GPU configurations might recently have experienced a system error related to dxgmms2.sys, resulting in the
KERNEL_SECURITY_CHECK_FAILUREerror.[Performance & Reliability] Fixed: This update disables the forwarded I/O feature in the NVMe stack by default.
[Networking]
DNS over HTTPS (DoH) support for Windows DNS Server is now available in public preview. This preview enables evaluation of DoH for traffic between the server and its clients. This is intended for feedback only. It isn't supported for production use, and it might contain issues. Functionality might also change, including potential breaking changes, before General Availability (GA). You can read more about this preview in the DoH on Windows DNS Server blog.
Windows Server now supports random shuffling of resource records in DNS Server responses. This helps reduce scenarios where a single resource record becomes overloaded because it appears first in the returned list.
To enable, create a
DWORDregistry key namedRandomShuffleat:Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\ParametersData to be set:
1To disable or erase the key:
Data to be set:
0
For an overview of Azure Local, see What is Azure Local?
Known issues
Windows Server Update Services (WSUS) doesn't display error details
After you install KB5070881 or later updates, Windows Server Update Services (WSUS) doesn't display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability CVE-2025-59287.
To install
Before you install this update
Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the February 2026 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Local.
File Information
For a list of the files provided in this update, download the file information for cumulative update 5075899.
January OS security update (KB5073379) for Azure Local
This section provides the 2601 security updates associated with OS build 26100.32230 released on January 13, 2026 and also includes key notifications, announcements, change logs, and end-of-support notices.
Starting with the January 2026 security update, Azure Stack HCI OS, version 24H2 will use different KB identifiers and a different build number. This change does not affect how you receive or manage updates for Azure Local.
Windows Secure Boot certificate expiration
Important
The Azure Local product team is aware of the upcoming expiration of the boot certificates of Windows devices and is actively working with solution OEM partners to deliver a managed update. Upcoming solution updates will initiate the mitigation process to address this scenario.
To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.
Improvements
This security update contains fixes and quality improvements from KB5072033 (released December 9, 2025). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
[Compatibility] This update removes the following modem drivers: agrsm64.sys (x64), agrsm.sys (x86), smserl64.sys (x64), and smserial.sys (x86). Modem hardware is dependent on these specific drivers will no longer work in Windows.
[Networking (known issue)] Fixed: This update addresses an issue where you might experience RemoteApp connection failures in Azure Virtual Desktop (AVD) environments. This might occur after installing KB5072033.
[Servicing (known issue)] This update addresses an issue where devices that installed the out-of-band update (KB5070881) stopped receiving Hotpatch updates. Affected machines will resume Hotpatch updates after installing the January 2026 baseline update.
[Windows Deployment Services (WDS)] This update introduces a change in behavior in which WDS will stop supporting hands-free deployment functionality by default. Detailed guidance for IT administrators is available at Windows Deployment Services (WDS) Hands‑Free Deployment Hardening Guidance.
Known issues
Microsoft is not currently aware of any issues with this update.
To install
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the January 2026 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB5073379.
December OS security update (KB5072033) for Azure Local
This section provides the 2512 security updates associated with OS build 26200.7462 and 26100.7462 released on December 9, 2025, and also includes key notifications, announcements, change logs, and end-of-support notices.
Windows Secure Boot certificate expiration
The Azure Local product team is aware of the upcoming expiration of the boot certificates of Windows devices and is actively working with solution OEM partners to deliver a managed update. Upcoming solution updates will initiate the mitigation process to address this scenario.
To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.
Improvements
This security update contains fixes and quality improvements from KB5072033 (released December 9, 2025). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
[Copilot] Fixed: This update addresses an issue where Ask Copilot didn't activate the Click to Do window as expected. The window now appears in the foreground when you share data with Copilot.
[File Explorer (known issue)] Fixed: This update addresses an issue where File Explorer briefly flashes white when you navigate between pages. This issue might occur after you install KB5070311.
[Networking] Fixed: This update fixes an issue where external virtual switches lose their physical network adapter (NIC) bindings after a host reboot. When this happens, the switches revert to internal mode, resulting in loss of network connectivity for virtual machines and blocking normal server operations.
If you've already installed previous updates, your device will download and install only the new updates included in this package.
Known issues
The following is a known issue with this update.
Issue The Password icon might be missing or invisible in the lock screen sign-in options.
Symptoms After installing the August 2025 non-security preview update (KB5064081) or later updates, you might notice that the password icon is not visible in the sign-in options on the lock screen. If you hover over the space where the icon should appear, you'll see that the password button is still available. Select this placeholder to open the password text box and enter your password. After entering your password, you can sign in normally.
Workaround Microsoft is working to resolve this issue and will provide information when it's available.
To install
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the December 2025 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB 5072033.
November OS security update (KB5068861) for Azure Local
This section provides the 2511 security updates associated with OS build 26200.7171 and 26100.7171 released on November 11, 2025, and also includes key notifications, announcements, change logs, and end-of-support notices.
Simplified Windows update titles
A new, standardized title format makes Windows updates easier to read and understand. It improves clarity by removing unnecessary technical elements like platform architecture. Key identifiers such as date prefixes, the KB number, and build or version are retained to help you quickly recognize each update.
Windows Secure Boot certificate expiration
The Azure Local product team is aware of the upcoming expiration of the boot certificates of Windows devices and is actively working with solution OEM partners to deliver a managed update. Upcoming solution updates will initiate the mitigation process to address this scenario.
To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.
Improvements
This security update contains fixes and quality improvements from KB5068861 (released November 11, 2025). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
[Gaming]
Fixed: This update addresses an issue that affects gaming handheld devices. These devices were unable to stay in low-power states, which caused faster battery drain.
Fixed: This update addresses an issue on some handheld gaming devices where after signing in using the built-in gamepad, the controller might not respond in apps for about five seconds, causing a delay. After you submit your password or PIN, the touch keyboard on the sign-in screen hides automatically.
[Storage] Fixed: This update addresses an issue that could cause some Storage Spaces to become inaccessible or Storage Spaces Direct to fail when creating a storage cluster.
[System utilities (known issue)] Fixed: This update addresses an issue where closing Task Manager with the Close button didn't fully end the process, leaving background instances that could slow performance over time. This might occur after installing KB5067036.
[Voice Access] Fixed: This update addresses an issue where Voice Access failed during initial setup if no microphone was connected and the voice model wasn't installed.
[Window management] Fixed: his update addresses an issue where selecting the desktop could unexpectedly open Task View.
[Networking] Fixed: This update fixes an issue in the
HTTP.sysrequest parser, a Windows component that reads and processes HTTP requests. The parser allowed a single line break within HTTP/1.1 chunk extensions, where the RFC 9112 standard requires a carriage return and line feed (CRLF) sequence to terminate each chunk. This can cause a parsing discrepancy when front end proxies are a part of the setup.
To turn off strict parsing, use the following registry key and values:
Registry Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Http\Parameters]
Registry value:
"HttpAllowLenientChunkExtParsing"=dword:00000001
Data to be set: 1
If you've already installed previous updates, your device will download and install only the new updates included in this package.
Known issues
Microsoft is not currently aware of any issues with this update.
To install
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the November 2025 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB 5068861.
October OS security updates (KB5066780 and KB5066835) for Azure Local
For the 2510 release of Azure Local, Microsoft released two security updates, each corresponding to a specific OS build. The following table provides the details of these security updates, including their associated OS builds and release dates.
| Security update | OS build | Release date |
|---|---|---|
| KB5066780 | 25398.1913 | October 14, 2025 |
| KB5066835 | 26100.6899 26200.6899 |
October 14, 2025 |
This section provides the 2510 security updates associated with OS build 25398.1913.
Windows Secure Boot certificate expiration
The Azure Local product team is aware of the upcoming expiration of the boot certificates of Windows devices and is actively working with solution OEM partners to deliver a managed update. Upcoming solution updates will initiate the mitigation process to address this scenario.
To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.
Improvements
This security update contains fixes and quality improvements from KB5066780 (released October 14, 2025). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
[Input]
- Fixed: An issue where some characters didn't display correctly when using the Chinese Input Method Editor (IME).
- Fixed: This update addresses an issue where certain Chinese characters appeared as empty boxes in some text fields, such as those used in Connection Manager Administration Kit, when a character limit was set.
[Networking (known issue)] Fixed: This update addresses an issue where you might not be able to connect to shared files and folders if you're using the Server Message Block (SMB) v1 protocol on NetBIOS over TCP/IP NetBIOS (NetBT). This can happen after installing update KB5065425.
[PowerShell] Fixed: This update addresses that affects PowerShell Remoting and Windows Remote Management (WinRM). Commands might time out after 10 minutes.
[Stability] Fixed. This update addresses an issue observed in rare cases after installing the May 2025 security update and subsequent updates causing devices to experience stability issues. Some devices became unresponsive and stopped responding in specific scenarios.
[Compatibility] Fixed. This update removes the ltmdm64.sys driver. Fax modem hardware dependent on this specific driver will no longer work in Windows.
If you've already installed previous updates, your device will download and install only the new updates included in this package.
For more information about security vulnerabilities, see the Security Update Guide and the October 2025 Security Updates.
Known issues
Microsoft is not currently aware of any issues with this update.
To install
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the October 2025 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB5066780..
September OS security updates (KB5065425 and KB5065426) for Azure Local
For the 2509 release of Azure Local, Microsoft released two security updates, each corresponding to a specific OS build. The following table provides the details of these security updates, including their associated OS builds and release dates.
| Security update | OS build | Release date |
|---|---|---|
| KB5065425 | 25398.1849 | September 09, 2025 |
| KB5065426 | 26100.6584 | September 09, 2025 |
This section provides the 2509 security updates associated with OS build 25398.1849.
Windows Secure Boot certificate expiration
The Azure Local product team is aware of the upcoming expiration of the boot certificates of Windows devices and is actively working with solution OEM partners to deliver a managed update. Upcoming solution updates will initiate the mitigation process to address this scenario.
To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.
Improvements
This security update includes quality improvements. Below is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change.
[App compatibility (known issue)] Fixed: Addresses an issue that caused non-admin users to receive unexpected User Account Control (UAC) prompts when MSI installers perform certain custom actions. These actions might include configuration or repair operations in the foreground or background, during the initial installation of an application.
This issue could prevent non-admin users from running apps that perform MSI repairs, including Office Professional Plus 2010 and multiple applications from Autodesk (including AutoCAD). This fix reduces the scope for requiring UAC prompts for MSI repairs and enables IT admins to disable UAC prompts for specific apps by adding them to an allow list.
For more information, see Unexpected UAC prompts when running MSI repair operations after installing the August 2025 Windows security update.
**[Device management]** Fixed: An issue where the removable storage policy didn't correctly block external devices such as USB flash drives.
[File sharing] Fixed: This update addresses an issue where accessing files on a Server Message Block (SMB) share over Quick UDP Internet Connections (QUIC) might result in unexpected delays.
[File server]: This update enabled auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA. This allows customers to assess their environment and identify any potential device or software incompatibility issues before deploying the hardening measures that are already supported by SMB Server. For detailed guidance, see CVE-2025-55234.
[Input]:
Fixed: This update fixes an issue where using Snap to organize desktop windows could cause the system to stop responding.
Fixed: An issue in Desktop Window Manager (uDWM) might cause the screen to stop responding during certain display operations.
Fixed: This update addresses an issue with the Chinese (Simplified) Input Method Editor (IME) where some extended characters appeared as empty boxes.
[Performance] Improved: Added support for Certificate Revocation List (CRL) partitioning in Windows Certificate Authorities.
Known issues
Microsoft is not currently aware of any issues with this update.
To install
Before you install this update
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the September 2025 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
Install this update
| Release Channel | Available | Next Step |
|---|---|---|
| Windows Update and Microsoft Update | Yes | This update downloads and installs automatically from Windows Update. |
| Windows Update for Business | Yes | This update downloads and installs automatically from Windows Update in accordance with configured policies. |
| Microsoft Update Catalog | Yes | To get the standalone package for this update, go to the Microsoft Update Catalog. |
| Windows Server Update Services (WSUS) | Yes | This update automatically syncs with WSUS if you configure Products and Classifications as follows: Product: Azure Stack HCI Classification: Security Updates |
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB5065425.
August OS security updates (KB5063899 and KB5063878) for Azure Local
For the 2508 release of Azure Local, Microsoft released two security updates, each corresponding to a specific OS build. The following table provides the details of these security updates, including their associated OS builds and release dates.
| Security update | OS build | Release date |
|---|---|---|
| KB5063899 | 25398.1791 | August 12, 2025 |
| KB5063878 | 26100.4946 | August 12, 2025 |
This section provides the 2508 security updates associated with OS build 25398.1791.
Improvements
This security update includes quality improvements. Below is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change.
- [Input] Fixed: An issue when using the Microsoft Changjie IME (input method editor) for Traditional Chinese might cause problems such as not being able to form or select words, unresponsive spacebar or blank key, incorrect word output, or a broken candidate window display. This can occur after installing KB5062570.
Known issues
Microsoft is not currently aware of any issues with this update.
To install
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the August 2025 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB5063899.
July OS security updates (KB5062570 and KB5062553) for Azure Local
For the 2507 release of Azure Local, Microsoft released two security updates, each corresponding to a specific OS build. The following table provides the details of these security updates, including their associated OS builds and release dates.
| Security update | OS build | Release date |
|---|---|---|
| KB5062570 | 25398.1732 | July 8, 2025 |
| KB5062553 | 26100.4652 | July 8, 2025 |
This section provides the 2507 security updates associated with OS build 25398.1732.
Improvements
This security update includes quality improvements. Below is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change.
[DNS Server] Fixed: This update addresses an issue where a full zone transfer can't be completed from a Windows DNS server to another DNS server when Extension Mechanisms for DNS is enabled.
[Language and character support] Fixed: An issue that affected some Chinese characters and experienced compliance issues with GB18030. These characters didn't display correctly or weren't accepted when using extended Unicode. A modern ICU-based solution now properly supports GB18030-2022 requirements.
[Performance] Fixed: This update addresses an issue that prevented the complete removal of unused language packs and Feature on Demand packages, which previously led to unnecessary storage use and longer Windows Update installation times.
[Security] Fixed: This update upgrades the curl tool in Windows to version 8.13.0 to help protect against potential security risks, including unauthorized access to data or service disruptions.
[Microsoft RPC Netlogon protocol] Fixed: This update includes a security hardening change to the Microsoft RPC Netlogon protocol. This change improves security by tightening access checks for a set of remote procedure call (RPC) requests. After this update is installed, Active Directory domain controllers will no longer allow anonymous clients to invoke some RPC requests through the Netlogon RPC server. These requests are typically related to domain controller location. Certain file and print service software can be affected, including Samba. If your organization uses Samba, please refer to the Samba release notes.
Known issues
Microsoft is not currently aware of any issues with this update.
To install
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the July 2025 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB5062570..
June OS security updates (KB5060118 and KB5060842) for Azure Local
For the 2506 release of Azure Local, Microsoft released two security updates, each corresponding to a specific OS build. The following table provides the details of these security updates, including their associated OS builds and release dates.
| Security update | OS build | Release date |
|---|---|---|
| KB5060118 | 25398.1665 | June 10, 2025 |
| KB5060842 | 26100.4349 | June 10, 2025 |
This section provides the 2506 security updates associated with OS build 25398.1665.
Improvements
This security update includes quality improvements. Below is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change.
[Graphics] Fixed: An issue where some characters appear wider than standard characters, and the sample paragraph in the font preview section doesn't display correctly.
[Memory leak] Fixed: This update addresses an issue in the Input Service that causes increased memory usage, potentially impacting performance in multi-user, multilingual, and remote desktop environments.
[Windows Hello] Fixed: This update addresses an issue that prevents users from signing in with self-signed certificates when using Windows Hello for Business with the Key Trust model.
Known issues
Microsoft is not currently aware of any issues with this update.
To install
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the June 2025 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB5060118..
May OS security updates (KB5058384 and KB5058411) for Azure Local
For the 2505 release of Azure Local, Microsoft released two security updates, each corresponding to a specific OS build. The following table provides the details of these security updates, including their associated OS builds and release dates.
| Security update | OS build | Release date |
|---|---|---|
| KB5058384 | 25398.1611 | May 13, 2025 |
| KB5058411 | 26100.4061 | May 13, 2025 |
This section provides the 2505 security updates associated with OS build 25398.1611.
Improvements
This security update includes quality improvements. Below is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change.
[Graphics] Fixed: This update addresses an issue where users are unable to export or generate PDF or XLSX format reports with charts.
[Graphics kernel] Fixed: This update addresses an issue that affects users trying to start a new console session after closing the previous one, where the new session doesn't start successfully.
[Windows Kernel Vulnerable Driver Blocklist file (DriverSiPolicy.p7b)] This update adds to the list of drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks.
[Azure Virtual Network] Fixed: You can turn off the network interface card (NIC) symmetry check feature with the following registry keys:
Registry key: SYSTEM\CurrentControlSet\Services\NetworkAtc\
Registry value: NicSymmetryCheckEnabled
Known issues
Microsoft is not currently aware of any issues with this update.
To install
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the May 2025 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
Note
This LCU includes an update for AI components in the Microsoft Update Catalog. Even though the AI component updates are included in this LCU, the AI components are only applicable to Windows Copilot+ PCs and won't install on Windows PC or Windows Server.
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB5058384..
April OS security updates (KB5055527 and KB5055523) for Azure Local
For the 2504 release of Azure Local, Microsoft released two security updates, each corresponding to a specific OS build. The following table provides the details of these security updates, including their associated OS builds and release dates.
| Security update | OS build | Release date |
|---|---|---|
| KB5055527 | 25398.1551 | April 12, 2025 |
| KB5055523 | 26100.3775 | April 12, 2025 |
This section provides the 2504 security updates associated with OS build 25398.1551.
Improvements
This security update includes quality improvements. Here is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change.
- [Daylight saving time (DST)] Update for the Aysen region in Chile to support the government DST change order in 2025. For more info about DST changes, see the Daylight Saving Time & Time Zone Blog.
Known issues
The following is a known issue with this update.
Symptom
Devices that have certain Citrix components installed might be unable to complete installation of the January 2025 Windows security update. Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings. However, when restarting the device to complete the update installation, an error message with text similar to "Something didn't go as planned. No need to worry – undoing changes" appears. The device then reverts to the Windows updates previously present on the device. This issue likely affects a limited number of organizations as version 2411 of the SRA application is a new version. Home users aren't expected to be affected by this issue.
Workaround
The issue has been resolved in Citrix Session Recording Agent version 2503, released on April 28, 2025, and newer versions.
To install
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the April 2025 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB5055527.
March OS security update (KB5053599) for Azure Local
This article describes the OS security update for Azure Local that was released on March 11, 2025 and applies to OS build 25398.1486.
Improvements
This security update includes quality improvements. Below is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change.
[Daylight saving time (DST)] This update supports (DST) changes in Paraguay.
[Open Secure Shell (OpenSSH) (known issue)] Fixed: The service fails to start, which stops SSH connections. There's no detailed logging, and you must run the sshd.exe process manually.
[GB18030-2022] This update adds support for this amendment.
[Azure Virtual Network] Fixed: You can turn off the virtual network metering feature with the following registry key:
HKLM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet
Registry value: MeteringDisabled (DWORD type)
Data to be set: 1
Known issues
The following is a known issue with this update.
Symptom
Devices that have certain Citrix components installed might be unable to complete installation of the January 2025 Windows security update. Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings. However, when restarting the device to complete the update installation, an error message with text similar to "Something didn't go as planned. No need to worry – undoing changes" appears. The device will then revert to the Windows updates previously present on the device. This issue likely affects a limited number of organizations as version 2411 of the SRA application is a new version. Home users are not expected to be affected by this issue.
Workaround
The issue has been resolved in Citrix Session Recording Agent version 2503, released on April 28, 2025, and newer versions.
To install
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the March 2025 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB5053599.
February OS security update (KB5051980) for Azure Local
This article describes the OS security update for Azure Local that was released on February 11, 2025 and applies to OS build 25398.1425.
Improvements
This security update includes quality improvements. Below is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change.
[Cluster stability] Fixed: Many machines within the same system suddenly shut down. The network is less available, and latency rises.
[Task Manager] Fixed: The CPU index number might be wrong when you set process affinity. This occurs on servers that have two or more non-uniform memory access (NUMA) nodes.
[GB18030-2022] This update adds support for this amendment.
[Memory leak] Fixed: Leaks occur when predictive input ideas show.
[Windows Kernel Vulnerable Driver Blocklist file (DriverSiPolicy.p7b)] This update adds to the list of drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks.
[Virtual machine (VM) storage pool] Fixed: Some operations that rely on a storage pool stop working. This occurs because the virtual machine (VM)can't reclaim disk space to do task such as load balancing.
[USB cameras] Fixed: Your device does not recognize the camera is on. This issue occurs after you install the January 2025 security update.
Digital/Analog converter (DAC) Fixed: You might experience issues with USB audio devices. This is more likely when you use a DAC audio driver based on USB 1.0. USB audio devices might stop working, which stops playback.
Known issues
The following is a known issue with this update.
Symptom
Following the installation of the October 2024 security update, some customers report that the OpenSSH (Open Secure Shell) service fails to start, preventing SSH connections. The service fails with no detailed logging, and manual intervention is required to run the sshd.exe process.
This issue is affecting enterprise, IOT, and education customers, with a limited number of devices impacted. Microsoft is investigating whether consumer customers using Home or Pro editions of Windows are also affected.
Workaround
You can temporarily resolve this issue by updating permissions (ACLs) on the affected directories. Follow these steps:
Open PowerShell as an administrator.
Update the permissions for C:\ProgramData\ssh and C:\ProgramData\ssh\logs to allow full control for System and the Administrators group, while allowing read access for Authenticated Users. You can restrict read access to specific users or groups by modifying the permissions string if needed.
Use the following commands to update the permissions:
$directoryPath = "C:\ProgramData\ssh" $acl = Get-Acl -Path $directoryPath $sddlString = "O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)" $securityDescriptor = New-Object System.Security.AccessControl.RawSecurityDescriptor $sddlString $acl.SetSecurityDescriptorSddlForm($securityDescriptor.GetSddlForm("All")) Set-Acl -Path $directoryPath -AclObject $aclRepeat the above steps for C:\ProgramData\ssh\logs.
Microsoft is actively investigating the issue and will provide a resolution in an upcoming Windows update. Further communications will be provided when a resolution or addition is available.
To install
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the February 2025 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB 5051980.
January OS security update (KB5049984) for Azure Local
This article describes the OS security update for Azure Local that was released on January 14, 2025 and applies to OS build 25398.1369.
Improvements
This security update includes quality improvements. Here is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change.
[Virtual machine (VM) Fixed]: A Windows guest machine fails to start up. This occurs when you turn on nested virtualization on a host that supports Advanced Vector Extensions 10 (AVX10).
[Windows Kernel Vulnerable Driver Blocklist file (DriverSiPolicy.p7b)]: This update adds to the list of drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks.
[Win32_NetworkAdapter and Win32_NetworkAdapterConfiguration Fixed]: You can't retrieve LAN over USB details on a certain platform. This occurs when you install two drivers on a device, and one of them has a different class ID. If you still have this issue after you install this update, run the commands below with administrative rights.
pnputil /remove-device <Instance ID>pnputil /scan-device
Known issues
Microsoft is not currently aware of any issues with this update.
To install this update
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
For more information about security vulnerabilities addressed by this update, see the Security Update Guide and the January 2025 Security Updates.
To install the LCU on your Azure Local instance, see Update Azure Stack Local instances.
File list
For a list of the files that are provided in this update, download the file information for Cumulative update KB5049984.
Next steps
- Install updates via PowerShell for Azure Local.
- Install updates via Azure Update Manager in Azure portal for Azure Local.
- For more information about previous releases, see Security updates for Azure Local 23xx releases and Security updates for Azure Local 24xx releases.