MSMQ / IIS – Access issues with C:\Windows\System32\msmq after December Update (Windows Server 2019)

Question

MSMQ / IIS – Access issues with C:\Windows\System32\msmq after December Update (Windows Server 2019)

Mario Kriegsmann 100

Description:
Since installing KB5071544 (December 2025 Update), IIS applications (IIS_IUSRS) as well as services running under LocalService / NetworkService can no longer write to the folder C:\Windows\System32\msmq. As a result, MSMQ-based applications fail. Everything worked flawlessly before the update. Rolling back the update immediately resolves the issue.

Analysis: The NTFS security descriptor of the MSMQ folder is modified by the December update.

SDDL comparison:

Unpatched: D:P(...)

Patched: D:PAI(...)

The additional AI flag (Auto-Inherited) indicates that the update is regenerating or altering the DACL. The Windows GUI does not display this difference, but functionally the services lose the access rights they previously had.

Impact:

Applications running under IIS_IUSRS / LocalService / NetworkService can no longer write to MSMQ.

Services must be changed to LocalSystem or given manual NTFS permissions → unacceptable from a security perspective, and it appears that permissions we set manually under C:\Windows\System32\msmq are not persistent and get automatically reverted to defaults.
The issue is reproducible on multiple systems, and similar reports are appearing on Reddit.
See: https://www.reddit.com/r/sysadmin/comments/1phyxbt/comment/ntanh4l/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

Request to Microsoft:

Confirmation whether the December update modifies MSMQ ACLs / security descriptors
Clarification whether this behavior is intentional or a bug
A fix or guidance on how to restore the original permissions

Danny Nguyen (WICLOUD CORPORATION) 6,295 Reputation points Microsoft External Staff Moderator

2025-12-12T10:53:22.31+00:00

Hi @Mario Kriegsmann, I have received this report. It might take some time to investigate this problem. I will reach out to you as soon as I can when there's any update. Thank you for posting.
LE YANG 0 Reputation points

2025-12-19T07:02:25.1733333+00:00

New OOB updates has been released by MS to fix the issue.
Harry Vo (WICLOUD CORPORATION) 4,750 Reputation points Microsoft External Staff Moderator

2025-12-24T07:45:25.79+00:00

Hi @Mario Kriegsmann , I wanted to briefly follow up on Danny's recent answer. I know it might be a busy time with your holidays, so please feel free to reply whenever convenient. Hope you’re having a great holiday season. Thank you!

Answer accepted by question author

1 additional answer

Your answer

Danny Nguyen (WICLOUD CORPORATION) 6,295 Reputation points Microsoft External Staff Moderator

2025-12-12T10:53:22.31+00:00

Hi @Mario Kriegsmann, I have received this report. It might take some time to investigate this problem. I will reach out to you as soon as I can when there's any update. Thank you for posting.
LE YANG 0 Reputation points

2025-12-19T07:02:25.1733333+00:00

New OOB updates has been released by MS to fix the issue.
Harry Vo (WICLOUD CORPORATION) 4,750 Reputation points Microsoft External Staff Moderator

2025-12-24T07:45:25.79+00:00

Hi @Mario Kriegsmann , I wanted to briefly follow up on Danny's recent answer. I know it might be a busy time with your holidays, so please feel free to reply whenever convenient. Hope you’re having a great holiday season. Thank you!

Answer 1

Danny Nguyen (WICLOUD CORPORATION) 6,295 Microsoft External Staff Moderator

Hi there,

Update (December 18, 2025): This issue has now been RESOLVED by Microsoft

This issue has been officially acknowledged and patched by Microsoft! You can track it here: https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22h2#message-queuing--msmq--might-fail-with-the-december-2025-windows-security-update

What happened:

Microsoft confirmed that the December 2025 security update (KB5071546) introduced changes to the MSMQ security model and NTFS permissions on the C:\Windows\System32\MSMQ\storage folder. MSMQ users now require write access to this folder, which is normally restricted to administrators. This caused the "Insufficient resources to perform operation" errors you were experiencing.

The symptoms matched what you were seeing:

MSMQ queues becoming inactive
IIS sites failing with resource errors
Applications unable to write to queues
Message file creation failures
Misleading logs about insufficient disk space/memory

Resolution:

This issue was resolved by the Windows out-of-band update released December 18, 2025 (KB5074976), which is available via the Microsoft Update Catalog.

Action Required:

Install the latest update (KB5074976) for your device. You can download it from the Microsoft Update Catalog.

Affected versions:

Client: Windows 10, version 22H2, Windows 10, version 21H2, Windows 10, version 1809, Windows 10, version 1607
Server: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

If you previously uninstalled KB5071546 as a workaround, you can now safely reinstall it along with KB5074976 to get both the security fixes and the MSMQ resolution.

EntraID Staff Support 40 Reputation points

2025-12-15T16:05:25.4866667+00:00

Bad news—hopefully just a Microsoft oversight in the words provided on that specific post, but as confirmed with a major system on my side and as reported originally in this post Windows Server 2016 and KB5071543 also causes this problem.

Uninstalled KB5071543 from Windows Server 2016 and then rebooting it fixes the problem as confirmed on my side. The support vendor of the software on that system on my side is aware of the issue and they should be working on a solution or following up with Microsoft to ensure you are aware at that level as well.

I just wanted to point out that that updated Known Issues post doesn't seem to list Windows Server 2016 or KB5071543 from what I saw when I looked it over a few minutes ago—hopefully MS is working on the fix for that OS too seems it's not EOL or support life.
Chris Granitz 5 Reputation points

2025-12-19T17:57:40.13+00:00

I am on the Microsoft Update Catalog site and entered KB5074976 in the Search but it's only returning updates for Windows 10. I need the update for Windows Server 2019.
EntraID Staff Support 40 Reputation points

2025-12-20T14:45:16.0766667+00:00

Windows Server 2019: https://support.microsoft.com/en-us/topic/december-18-2025-kb5074975-os-build-17763-8148-out-of-band-4dc1fb62-aa89-4859-ba1b-618404482c4d

Windows Server 2016: https://support.microsoft.com/en-us/topic/december-18-2025-kb5074974-os-build-14393-8692-out-of-band-eea63b9f-4aa1-47e3-9097-197845832fb1

Answer 2

After KB5071543 / KB5071544, we're seeing the following error when sending multicast messages via System.Messaging API from an IIS Web App.

System.Messaging.MessageQueueException: Insufficient resources to perform operation.

On Windows Server 2019, if we rollback KB5071544 things work again.

On Windows Server 2016, if we rollback KB5071543 things work again.

System.Messaging.MessageQueueException: Insufficient resources to perform operation. at System.Messaging.MessageQueue.SendInternal(Object obj, MessageQueueTransaction internalTransaction, MessageQueueTransactionType transactionType) at CompAnalytics.Extension.Msmq.AlertContextExtension.SendAlert(String alertName, String alertTitle, Uri alertLink, String msgBody, IList`1 extensionObjects, String priority) in C:\agent_work\7\s\Product\CompAnalytics.Extension.Msmq\AlertContextExtension.cs:line 95 at CompAnalytics.Extension.Msmq.AlertSender.Execute(IExecutionContext context) in C:\agent_work\7\s\Product\CompAnalytics.Extension.Msmq\AlertSender.cs:line 63 at CompAnalytics.Execution.ExecutionContext.ExecuteModuleOrSurrogate(ModuleExecutor executor, Module module) in C:\agent_work\7\s\Product\CompAnalytics.Execution\ExecutionContext.cs:line 1207 at CompAnalytics.Execution.ExecutionContext.ExecuteOrRestoreModule(ModuleExecutor executor, Module module, Int32 currentRetryCount) in C:\agent_work\7\s\Product\CompAnalytics.Execution\ExecutionContext.cs:line 1185 at CompAnalytics.Execution.ExecutionContext.ExecuteModuleWithRetry(ModuleExecutor executor, Module module) in C:\agent_work\7\s\Product\CompAnalytics.Execution\ExecutionContext.cs:line 1150 at CompAnalytics.Execution.ExecutionContext.ExecuteModule(ModuleExecutor executor, Module module, ExecutionCallback postExecutionCallback) in C:\agent_work\7\s\Product\CompAnalytics.Execution\ExecutionContext.cs:line 992

EntraID Staff Support 40 Reputation points

2025-12-15T16:11:34.4133333+00:00

I'm not seeing MS posted about a fix coming for KB5071543 and WIndows Server 2016 and the permissions also being broke for that OS in the latest Known Issues link that was provided here. I assume this means they ignored your detail and they assume Windows Server 2016 is not impacted, or they have nopt tested that OS thoroughly to confirm themselves. Not sure if another post needs opened, or more comments are needed to get it some attention too. Hopefully they know this already, are working on a fix, and just have not stated it explicitly.
Bennie Esterhuizen 0 Reputation points

2025-12-29T21:16:23.91+00:00

Thanks for this!

Share via

MSMQ / IIS – Access issues with C:\Windows\System32\msmq after December Update (Windows Server 2019)

1 additional answer

Your answer