Windows Secure Boot certificate expiration
Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time. To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance. For details and preparation steps, see Windows Secure Boot certificate expiration and CA updates.
Support for Windows Server 2008 R2 will end in January 2026
Windows Server 2008 R2 Premium Assurance will end on January 13, 2026.
Windows Server 2008 R2 Extended Security Updates (ESU) ended on January 10, 2023. Additionally, Extended Security Updates on Azure only support ended on January 9, 2024. For more information, see Extended Security Updates for Windows Server overview.
We recommend that you upgrade to a later version of Windows Server. For more information, see Overview of Windows Server upgrades.
Summary
Learn more about this cumulative security update, including improvements, any known issues, and how to get the update.
For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, see Description of the standard terminology that is used to describe Microsoft software updates. To view other notes and messages, see Windows 7 SP1 and Windows Server 2008 R2 SP1 update history.
Improvements
This security update includes fixes and quality improvements that were a part of the following update:
The following is a summary of the issues that this update addresses. The bold text within the brackets indicates the item or area of the change we are documenting.
-
[Microsoft RPC Netlogon protocol] This update includes a security hardening change to the Microsoft RPC Netlogon protocol. This change improves security by tightening access checks for a set of remote procedure call (RPC) requests. After this update is installed, Active Directory domain controllers will no longer allow anonymous clients to invoke some RPC requests through the Netlogon RPC server. These requests are typically related to domain controller location. Certain file and print service software can be affected, including Samba. If your organization uses Samba, please refer to the Samba release notes.
For more information about the resolved security vulnerabilities, please refer to the Deployments | Security Update Guide and the July 2025 Security Updates.
Known issues in this update
We are currently not aware of any issues with this update. For the most up-to-date information about known issues for Windows Server 2008 R2 SP1, please go to the Windows release health dashboard.
How to get this update
Before installing this update
To install any Windows Server 2008 R2 Monthly Rollup released on or after January 14, 2025, you must first install the latest Servicing Stack Update (SSU). If your device or offline image does not have the latest SSU installed, you cannot install this update.
Caution: Until you install the SSU, this update will not be offered to your device. To reduce your security risk, install the SSU as soon as possible.
-
If you use Windows Update, the latest SSU (KB5056456) will be offered to you automatically. After the latest SSU is installed, you will be able to install this update.
-
If you use the Update Catalog, you must download and install the latest SSU (KB5056456). After the latest SSU is installed, you will be able to install this update.
-
If you are a Windows Server Update Services (WSUS) administrator, you must approve SSU KB5056456 and this update KB5062632.
For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
Language packs
If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Learn about adding a language pack to Windows.
Install this update
To install this update, use one of the following release channels.
|
Available |
Next step |
|
|
This update will be downloaded and installed automatically from Windows Update. |
|
Available |
Next step |
|
|
To get the standalone package for this update, go to the Microsoft Update Catalog website. To download updates from the Update Catalog, see Steps to download updates from the Windows Update Catalog. |
|
Available |
Next step |
|
|
This update will automatically sync with Windows Server Update Services (WSUS) if you configure Products and Classifications as follows:
|
File information
A list of the files that are included in this update are provided in a CSV (Comma delimited) (*.csv) file. The file can be opened in a text editor such as Notepad or in Microsoft Excel.
