Patch Review Recommendations

Flexis March 2025 Patch Recommendation

Patches Microsoft released in March 2025:

 

  • KB5053603: 2025-03 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems
  • KB5053596: 2025-03 Cumulative Update for Windows Server 2019 for x64-based Systems
  • KB5053594: 2025-03 Cumulative Update for Windows Server 2016 for x64-based Systems
  • KB5054006: 2025-03 Servicing Stack Update for Windows Server 2016 for x64-based Systems

Impacted Products:

Microsoft-Windows

Microsoft Windows

Microsoft-Edge

Microsoft Edge

(HTML-based)

Microsoft-Edge

Microsoft Edge

 (Chromium-based)

Internet-Explorer

Internet Explorer

Microsoft-Office

Microsoft Office and Microsoft Office Services and Web Apps

Windows-Defenser

Windows Defender

Visual-Studio

Visual Studio

6

ASP.NET Core

Untitled design (1)

Chakra Core

Microsoft-Dynamics

Microsoft Dynamics

NET-Framework

.NET Framework

NET-Core

.NET Core

Please note the following information regarding the security updates:

Windows 10 Enterprise and Education and Windows 10 Home and Pro lifecycle pages, Windows 10 will reach end of support on October 14, 2025. The current version, 22H2, will be the final version of Windows 10. The following editions will remain in support with monthly security update releases through that date:

Home

Pro

Pro Education

Pro for Workstations

Education

Enterprise

Enterprise multi-session

KB5053603: Windows Server 2022

Improvements

This security update includes quality improvements. The following summary outlines key issues addressed by the KB update after you install it. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

  • [Daylight saving time (DST)] This update supports (DST) changes in Paraguay.
  • [Open Secure Shell (OpenSSH) (known issue)] Fixed: The service fails to start, which stops SSH connections. There is no detailed logging, and you must run the sshd.exe process manually.
  • [GB18030-2022] This update adds support for this amendment.
  • [Azure Virtual Network] Fixed: You can turn off the VNET metering feature with the following registry key.

Registry key: HKLM\CurrentControlSet\Services\NcHostAgent\Parameters\Plugins\Vnet

Registry key: MeteringDisabled (DWORD type)

Data to be set: 1

There is no known issue with this update.

KB5053596: Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows Server 2019

Improvements

  • [Daylight saving time (DST)] Updated: DST changes for Paraguay. For more information, see the Daylight Saving Time & Time Zone Blog.
  • [GB18030-2022] This update adds support for this amendment.
  • [Temporary files] This update enables system processes to store temporary files in a secure directory “C:\Windows\SystemTemp” via either calling GetTempPath2 API or using .NET’s GetTempPath API, thereby reducing the risk of unauthorized access.
  • [Open Secure Shell (OpenSSH) (known issue)] Fixed: The service fails to start, which stops SSH connections. There is no detailed logging, and you must run the sshd.exe process manually.

 

 

 

If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. 

For more information about security vulnerabilities, please refer to the new Security Update Guide website and the March 2025 Security Updates.

Windows 10 servicing stack update (KB5054007) – 17763.7000

Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing updates.

Known issues in this update

Symptoms

Devices that have certain Citrix components installed might be unable to complete installation of the January 2025 Windows security update. This issue was observed on devices with Citrix Session Recording Agent (SRA) version 2411. The 2411 version of this application was released in December 2024.
 
Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings. However, when restarting the device to complete the update installation, an error message with text similar to “Something didn’t go as planned. No need to worry – undoing changes” appears. The device will then revert to the Windows updates previously present on the device. 
 This issue likely affects a limited number of organizations as version 2411 of the SRA application is a new version. Home users are not expected to be affected by this issue. 

Workaround

Citrix has documented this issue, including a workaround, which can be performed prior to installing the January 2025 Windows security update. For details, see Citrix’s documentation.

Microsoft is working with Citrix to address this issue and will update this documentation once a resolution is available. 

KB5053594: Windows 10, version 1607, all editions Windows Server 2016, all editions

Improvement

  • [Temporary files] This update enables system processes to store temporary files in a secure directory “C:\Windows\SystemTemp” via either calling GetTempPath2 API or using .NET’s GetTempPath API, thereby reducing the risk of unauthorized access.
  • [Use-after-free (UAF) risk] Fixed: A race condition might lead to a UAF risk during process creation.
  • [Daylight saving time (DST)] Updated: DST changes for Paraguay. For more information, see the Daylight Saving Time & Time Zone Blog.

Microsoft is not currently aware of any issues with this update.

KB5054006: Win 10 Ent LTSB 2016 Win 10 IoT Ent LTSB 2016 Windows Server 2016

This servicing stack update (SSU) makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates make sure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.​​​​​​​

Important Not installing the latest SSU before applying Windows updates might result in the Windows update not being offered until the latest SSU is installed.