Flexis April 2025 Patch Recommendation
Patches Microsoft released in April 2025:
- KB5055526: 2025-04 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems
- KB5055519: 2025-04 Cumulative Update for Windows Server 2019 for x64-based Systems
- KB5055521: 2025-04 Cumulative Update for Windows Server 2016 for x64-based Systems
- KB5055661: 2025-04 Servicing Stack Update for Windows Server 2016 for x64-based Systems
Impacted Products:
Microsoft Windows
Microsoft Edge
(HTML-based)
Microsoft Edge
(Chromium-based)
Internet Explorer
Microsoft Office and Microsoft Office Services and Web Apps
Windows Defender
Visual Studio
ASP.NET Core
Chakra Core
Microsoft Dynamics
.NET Framework
.NET Core
Please note the following information regarding the security updates:
Windows 10 Enterprise and Education and Windows 10 Home and Pro lifecycle pages, Windows 10 will reach end of support on October 14, 2025. The current version, 22H2, will be the final version of Windows 10. The following editions will remain in support with monthly security update releases through that date:
Home
Pro
Pro Education
Pro for Workstations
Education
Enterprise
Enterprise multi-session
KB5055526: Windows Server 2022
Improvements
This security update includes quality improvements. The following summary outlines key issues addressed by the KB update after you install it. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.
- [Daylight Saving Time (DST)] Update for the Aysen region in Chile to support the government DST change order in 2025. For more info about DST changes, see the Daylight Saving Time & Time Zone Blog.
- [OS Security] After installing this update or a later Windows update, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is enabled on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users. For more information, see CVE-2025-21204.
Known issues in this update
Symptoms
Citrix
Devices that have certain Citrix components installed might be unable to complete installation of the January 2025 Windows security update. This issue was observed on devices with Citrix Session Recording Agent (SRA) version 2411. The 2411 version of this application was released in December 2024.
Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings. However, when restarting the device to complete the update installation, an error message with text similar to “Something didn’t go as planned. No need to worry – undoing changes” appears. The device will then revert to the Windows updates previously present on the device.
This issue likely affects a limited number of organizations as version 2411 of the SRA application is a new version. Home users are not expected to be affected by this issue.
Active Directory Group Policy
Audit Logon/Logoff events in the local policy of the Active Directory Group Policy might not show as enabled on the device even if they are enabled and working as expected. This can be observed in the Local Group Policy Editor or Local Security Policy, where local audit policies show the “Audit logon events” policy with Security Setting of “No auditing”.
This issue might only manifest as a reporting inconsistency. It’s possible that logon events are correctly being audited on the device. However, the “Audit logon events” policy will reflect that this is not the case. Home users are unlikely to be affected by this issue, as logon auditing is generally only necessary in enterprise environments.
Workaround
Citrix
Citrix has documented this issue, including a workaround, which can be performed prior to installing the January 2025 Windows security update. For details, see Citrix’s documentation.
Microsoft is working with Citrix to address this issue and will update this documentation once a resolution is available.
Active Directory Group Policy
This issue was resolved by Windows update released April 11, 2025 (KB5058920). To keep your device performing at its best, make sure you have the latest update for your device. It contains important improvements and issue resolutions.
KB5055519: Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows Server 2019
Improvement
- [Daylight Saving Time (DST)] Update for the Aysen region in Chile to support the government DST change order in 2025. For more information about DST changes, see the Daylight Saving Time & Time Zone Blog.
- [OS Security] After installing this update or a later Windows update, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is enabled on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users. For more information, see CVE-2025-21204.
Windows 10 servicing stack update (KB5055662) – 17763.7125
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing updates.
Symptoms
Citrix
Devices that have certain Citrix components installed might be unable to complete installation of the January 2025 Windows security update. This issue was observed on devices with Citrix Session Recording Agent (SRA) version 2411. The 2411 version of this application was released in December 2024.
Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings. However, when restarting the device to complete the update installation, an error message with text similar to “Something didn’t go as planned. No need to worry – undoing changes” appears. The device will then revert to the Windows updates previously present on the device.
This issue likely affects a limited number of organizations as version 2411 of the SRA application is a new version. Home users are not expected to be affected by this issue.
Active Directory Group Policy: Events in local policy
Audit Logon/Logoff events in the local policy of the Active Directory Group Policy might not show as enabled on the device even if they are enabled and working as expected. This can be observed in the Local Group Policy Editor or Local Security Policy, where local audit policies show the “Audit logon events” policy with Security Setting of “No auditing”.
This issue might only manifest as a reporting inconsistency. It’s possible that logon events are correctly being audited on the device. However, the “Audit logon events” policy will reflect that this is not the case. Home users are unlikely to be affected by this issue, as logon auditing is generally only necessary in enterprise environments.
This issue is resolved in the April 11, 2025—KB5058922 (OS Build 17763.7240) Out-of-band update. This out-of-band (OOB) update is available only on the Microsoft Update Catalog. Since this is a cumulative update, you do not need to apply any previous update before installing it, and it supersedes all previous updates. Installation of this OOB will require a device restart.
If your organization has not deployed this update yet and you utilize Active Directory Group Policy, we recommend you apply the April 11, 2025—KB5058922 (OS Build 17763.7240) Out-of-band update instead.
As always, we recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.
If you install an update released on or after April 11, 2025, you do not need to use a workaround for this issue.
Workaround
Citrix
Citrix has documented this issue, including a workaround, which can be performed prior to installing the January 2025 Windows security update. For details, see Citrix’s documentation.
Microsoft is working with Citrix to address this issue and will update this documentation once a resolution is available.
Active Directory Group Policy: Events in local policy
This issue is resolved in the April 11, 2025—KB5058922 (OS Build 17763.7240) Out-of-band update. This out-of-band (OOB) update is available only on the Microsoft Update Catalog. Since this is a cumulative update, you do not need to apply any previous update before installing it, and it supersedes all previous updates. Installation of this OOB will require a device restart.
If your organization has not deployed this update yet and you utilize Active Directory Group Policy, we recommend you apply the April 11, 2025—KB5058922 (OS Build 17763.7240) Out-of-band update instead.
As always, we recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.
If you install an update released on or after April 11, 2025, you do not need to use a workaround for this issue.
KB5055521: Windows 10, version 1607, all editions Windows Server 2016, all editions
Improvement
- [Daylight Saving Time (DST)] Update for the Aysen region in Chile to support the government DST change order in 2025. For more information about DST changes, see the Daylight Saving Time & Time Zone Blog.
- [OS Security] After installing this update or a later Windows update, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is enabled on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users. For more information, see CVE-2025-21204.
Symptoms
Active Directory Group Policy: Events in local policy
Audit Logon/Logoff events in the local policy of the Active Directory Group Policy might not show as enabled on the device even if they are enabled and working as expected. This can be observed in the Local Group Policy Editor or Local Security Policy, where local audit policies show the “Audit logon events” policy with Security Setting of “No auditing”.
This issue might only manifest as a reporting inconsistency. It’s possible that logon events are correctly being audited on the device. However, the “Audit logon events” policy will reflect that this is not the case. Home users are unlikely to be affected by this issue, as logon auditing is generally only necessary in enterprise environments.
Resolution
This issue is resolved in the April 11, 2025—KB5058921 (OS Build 14393.7973) Out-of-band update. This out-of-band (OOB) update is available only on the Microsoft Update Catalog. Since this is a cumulative update, you do not need to apply any previous update before installing it, and it supersedes all previous updates. Installation of this OOB will require a device restart.
If your organization has not deployed this update yet and you utilize Active Directory Group Policy, we recommend you apply the April 11, 2025—KB5058921 (OS Build 14393.7973) Out-of-band update instead.
As always, we recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.
If you install an update released on or after April 11, 2025, you do not need to use a workaround for this issue.
KB5055661: Win 10 Ent LTSB 2016 Win 10 IoT Ent LTSB 2016 Windows Server 2016
Improvement
This servicing stack update (SSU) makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates make sure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.
Important Not installing the latest SSU before applying Windows updates might result in the Windows update not being offered until the latest SSU is installed.
Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.