KB5022661 for Windows Server 2008 R2 where to download?

Aaron Rousch 0 Reputation points
2026-05-26T13:54:22.7933333+00:00

Good Day

I am looking for kb5022661 to apply to my Windows Server 2008 R2 server. i can't seem to find it on the Microsoft Update Catalog

i am trying to update the anti-virus on that server and the newest version requires Trusted Signing

i already have the following installed

KB4490628 : Service Stacking

KB4474419 : SHA-2 Code Signing

KB5022661 is the only one missing on the server to allow the Anti-Virus update

Any help with this matter would be greatly appreciated

Thank you for your time

Windows for business | Windows Server | Devices and deployment | Install Windows updates, features, or roles
0 comments No comments

2 answers

Sort by: Most helpful
  1. Tan Vu 2,655 Reputation points Independent Advisor
    2026-05-26T14:38:12.2833333+00:00

    Hi Rousch,

    KB5022661 is not a normal standalone fix you install on Windows Server 2008 R2. Microsoft’s KB5022661 article says that for Windows 7 SP1 / Windows Server 2008 R2 SP1, Trusted Signing support is provided by KB5006743 (Monthly Rollup) or later, or KB5006728 (Security-only) or later.

    So on your Server 2008 R2 box, the important check is whether you have a 2021-10 update or newer from that line, not whether KB5022661 itself appears in the Update Catalog. KB4490628 and KB4474419 are useful prerequisites, but they are not the final requirement for Trusted Signing support. Microsoft also notes that machines must have the Microsoft Identity Verification Root Certificate Authority 2020 root certificate available. If the server is offline or auto root updates are disabled, that certificate must be installed manually.

    One more practical point: Windows 7 SP1 and Windows Server 2008 R2 SP1 reached extended support end on January 14, 2020. So if your antivirus vendor is asking for "KB5022661" specifically, that is likely a vendor-side requirement written for newer Windows versions, not a package you can directly obtain for 2008 R2.

    The best next step is to install the latest available Server 2008 R2 rollup/security-only update from that Trusted Signing support line, then verify the root certificate is present, and finally check with the antivirus vendor whether they support Server 2008 R2 at all for the new build.

    Was this answer helpful?

    1 person found this answer helpful.

  2. AI answer

    2026-05-26T13:54:39.8266667+00:00

    KB5022661 is not a standalone update package that can be downloaded and installed like a normal Windows update. It is a documentation KB that describes Windows support for the Trusted Signing (formerly Azure Code Signing) program and references the underlying platform requirements.

    For Windows Server 2008 R2, the relevant technical requirements are already covered by the updates that are installed on the server:

    • KB4474419 – SHA-2 code signing support
    • KB4490628 – Servicing Stack Update (SSU)

    These are the same prerequisites called out in the SHA-2 and later out-of-band update documentation for Windows 7 SP1 / Windows Server 2008 R2 SP1. Once these are installed and the server is restarted, the OS has SHA-2 support and can validate SHA-2–signed content, which is a core requirement for Trusted Signing–signed binaries.

    The Trusted Signing KB further notes that, to correctly verify modules signed by Trusted Signing, the machine must have the “Microsoft Identity Verification Root Certificate Authority 2020” root certificate installed under Local Computer → Trusted Root Certification Authorities. On Internet-connected systems, this root is normally installed automatically via automatic root certificate update; on offline or restricted systems, it must be imported manually from the Microsoft PKI repository.

    Therefore:

    • There is no separate KB5022661 package to download for Windows Server 2008 R2 from the Microsoft Update Catalog.
    • Ensure the following on the server:
      1. KB4474419 (SHA-2) is installed and the server has been restarted.
      2. KB4490628 (or later SSU) is installed and the server has been restarted.
      3. The “Microsoft Identity Verification Root Certificate Authority 2020” root certificate is present in the Local Computer → Trusted Root Certification Authorities store (import it manually from the PKI Repository - Microsoft PKI Services if automatic root updates are disabled or the server is offline).

    If the antivirus installer is explicitly checking for “KB5022661” by number, that check is effectively verifying that the OS has the Trusted Signing prerequisites (SHA-2 support and the required root CA). With those components in place, the functional requirement is met even though there is no discrete KB5022661 package for Windows Server 2008 R2.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.