Microsoft's June 10, 2025 cumulative update KB5060999 lands squarely on Patch Tuesday, shipping with a long-awaited fix for a graphics-related Remote Desktop connection bug that has been frustrating users since May. For Windows 11 versions 22H2 (Build 22621.5472) and 23H2 (Build 22631.5472), the update also bundles the month's security patches, a servicing stack refresh, and a pair of known issues that IT administrators should note before mass deployment.
The Remote Desktop fix headlines the quality improvements. Ever since the optional preview update KB5058502 arrived on May 27, some users could no longer establish remote sessions, instead hitting cryptic errors: "The Remote Desktop Services session has ended" or "A remote desktop connection cannot be established." The problem stemmed from a flaw in the graphics support subsystem that handles display redirection for RDP connections. With KB5060999, Microsoft says the graphics component now behaves correctly, restoring full Remote Desktop functionality for affected machines. For organizations that lean heavily on RDP for remote work, server administration, or helpdesk support, this fix alone makes the update critical.
The security side of KB5060999 follows the standard Patch Tuesday cadence. Microsoft is characteristically tight-lipped about the specific vulnerabilities addressed in cumulative updates, referring users to the Security Update Guide for full details. However, these monthly rollups typically cover elevation-of-privilege flaws, remote code execution avenues, and denial-of-service vectors across Windows kernel, networking, and user-mode components. For 22H2 and 23H2, which share a common codebase, the security fixes are identical. The company rates the majority of these flaws as "Important," the second-highest severity level, underscoring why applying the update promptly is a best practice.
Beyond the Remote Desktop patch, KB5060999 inherits all quality fixes from the previous optional update KB5058502. That preview release introduced several under-the-hood tweaks: improved reliability for Bluetooth controllers, fixes for a memory leak in lsass.exe that could degrade authentication performance on domain controllers, and corrections for printing scenarios involving Internet Printing Protocol (IPP). Because KB5058502 was optional, many users skipped it, making this mandatory security vehicle the first time these repairs reach the general Windows 11 fleet. The cumulative nature of Windows Update means that installing KB5060999 automatically rolls in all those predecessor fixes, even if the device never saw the optional preview.
Also packed inside the update is a servicing stack update (SSU), KB5058546. The servicing stack is the siloed component that handles the installation and removal of Windows updates. Microsoft periodically refreshes it to improve the robustness of the update process itself. Including an SSU ensures that the mechanism responsible for deploying future patches is solid and less likely to trip over itself during installation. For IT pros, the takeaway is simple: this SSU is wrapped directly into the cumulative update package, so no separate download is needed. The combination improves overall reliability when the monthly dance of Patch Tuesday begins again in July.
Two known issues accompany the release, and both deserve close attention.
First, the Noto fonts rendering glitch introduced in the March 2025 preview update persists. Websites or applications that rely on Chromium-based browsers—Microsoft Edge, Google Chrome, Brave, and others—may display blurry or misaligned Chinese, Japanese, and Korean (CJK) characters when the display scaling is set to 100% (96 DPI). The problem stems from Microsoft's decision to use Noto fonts as fallbacks when a page doesn't specify an appropriate font. At pixel-dense 96 DPI, the limited horizontal and vertical pixel count can distort the complex strokes of CJK glyphs. The result is text that looks fuzzy, with uneven spacing and broken character recognition. Microsoft recommends a workaround: bump the display scaling to 125% or 150%. That effectively increases the number of pixels per glyph, improving clarity. The trade-off is that some UI elements will appear larger, which may not be ideal for users who prefer tiny text. The issue is confined to Chromium-based browsers; Firefox and other engines using their own font rendering paths are unaffected. Microsoft has not yet provided a timeline for a permanent fix, so users tuned to 100% scaling should decide whether the trade-off is acceptable or if they can tolerate the larger UI until a resolution arrives.
Second, organizations using quality update deferral policies may notice a delay in receiving KB5060999. Although the update was released on June 10, its metadata timestamp reads June 20, 2025. This discrepancy can cause devices configured with, say, a 10-day deferral period to block the update until June 30 instead of June 20. The root cause is an internal metadata value that Microsoft has confirmed it will not change. The workaround is to create an expedite policy via Windows Autopatch or to temporarily shorten or remove the deferral window for targeted devices. This problem does not affect the vast majority of consumer users who rely on default Windows Update settings; it applies only to managed environments where IT administrators have deliberately enforced deferral periods. The actual content and security of the update are unchanged—only the timing of its availability is impacted.
Installation is straightforward. The update will download and install automatically via Windows Update; users can also grab the standalone package from the Microsoft Update Catalog for offline deployment or network distribution. After installation, a reboot is required. Those who need to uninstall the cumulative update later must use the DISM command-line tool, specifying the LCU package name. Running wusa.exe with the /uninstall flag will not work because the SSU is bundled and cannot be removed separately. The specific command is DISM /online /get-packages to find the package name, followed by DISM /online /Remove-Package /PackageName:[name]. This limitation is long-standing: once an SSU is injected, it becomes permanent, and the LCU is the only component that can be rolled back.
For Windows 11 22H2 and 23H2 users, KB5060999 is a mandatory installation. The Remote Desktop fix alone justifies an immediate rollout, especially for those who have been living with connection failures. The security patches, while routine, close active attack surfaces. The known issues, particularly the CJK font rendering bug, may give some users pause, but the workaround is simple and effective. Deferral policy hiccups are manageable for IT shops with basic policy tweaks. As always, the Patch Tuesday rhythm demands vigilance, but this edition brings more relief than burden. Given that 22H2 will eventually sunset and 23H2 remains the stable enterprise baseline, Microsoft continues to deliver measured, iterative improvements that keep the platform humming—one cumulative update at a time.