KB5075899 (Feb 2026) silently removes RDS-Gateway role on Windows Server 2025?

Question

KB5075899 (Feb 2026) silently removes RDS-Gateway role on Windows Server 2025?

NickPrefersLinux 20

Wondering if anyone has seen this before? I can't find anything online relating to it, but the evidence seems pretty clear from what I found trawling through thousands of lines of CBS logs!

Environment

Windows Server 2025 Datacenter (24H2)
RDS-Gateway, RDS-Connection-Broker, RDS-Licensing, RDS-RD-Server all installed and operational prior to patching

Symptoms

After KB5075899 installed and the server rebooted, the RDS-Gateway role was no longer present. Users could not connect via RD Gateway. We had to re install the role via Server Manager in order to restore functionality. CAPs, RAPs, and SSL bindings required reconfiguration.

My Investigation

CBS log analysis confirms this is a bug in how the servicing stack handles feature selection state during package enumeration.

KB5075899 superseded the Gateway package from version 10.0.26100.7462 to 10.0.26100.32370. During this process, CBS uninstalled the old Gateway components but only brought the new version to Staged instead of Installed

Evidence

Prior to KB5075899, CBS correctly knew Gateway was installed.

From CbsPersist_20260225111647.log at 00:09:15 (during KB5075899 servicing pass), the parent package correctly reports Gateway as Installed:

Plan: Package: Microsoft-Windows-TerminalServices-Gateway-UI-Package~...~10.0.26100.1,
current: Installed, pending: Default, start: Installed, applicable: Installed,
targeted: Installed, limit: Installed

The servicing stack incorrectly resolved Update subcomponents to Staged

Immediately after, the Update subcomponent within the same planning pass is resolved to Staged despite limit: Installed:

Plan: Package: Microsoft-Windows-TerminalServices-Gateway-UI-Package~...~10.0.26100.1,
Update: Gateway-UI, current: Staged, pending: Default, start: Staged,
applicable: Staged, targeted: Staged, limit: Installed, selected: Default

Active version (7462) gets selected: Off

The currently running version of the Gateway package had its feature selection explicitly turned off:

Plan: Package: Microsoft-Windows-TerminalServices-Gateway-UI-Package~...~10.0.26100.7462,
Update: Gateway-UI, current: Staged, pending: Default, start: Staged,
applicable: Staged, targeted: Staged, limit: Installed, selected: Off

selected: Off on a currently installed and running role, despite limit: Installed.

Old version unprojected

From CbsPersist_20260225113738.log at 00:33:37, CBS uninstalls the old Gateway components:

Exec: Unprojecting Package: Microsoft-Windows-TerminalServices-Gateway-Package~...~10.0.26100.7462,
Update: Gateway, UninstallDeployment: ..._TSProxy-WMIProvider-Deployment_...

Exec: Unprojecting Package: Microsoft-Windows-TerminalServices-Gateway-Package~...~10.0.26100.7462,
Update: Gateway, UninstallDeployment: ..._TSProxy-EdgeAdapter-Deployment_...

Exec: Unprojecting Package: Microsoft-Windows-TerminalServices-Gateway-Package~...~10.0.26100.7462,
Update: Gateway, UninstallDeployment: ..._TerminalServices-PSMgmtTools-Deployment_...

New version lands as Staged, not Installed

From CbsPersist_20260225113738.log at 00:33:11:

Plan: Package: Microsoft-Windows-TerminalServices-Gateway-Package~...~10.0.26100.32230,
Update: Gateway, current: Staged, pending: Default, start: Staged,
applicable: Staged, targeted: Staged, limit: Installed, selected: Default

Comparison - packages that superseded correctly

Other packages in the same servicing pass correctly maintained their Installed state:

Plan: Package: Microsoft-OneCore-Bluetooth-Audio-Hfp-AudioGateway-Package~...~10.0.26100.32230,
current: Staged, pending: Default, start: Installed, applicable: Installed,
targeted: Installed, limit: Installed

Note the start: Installed, targeted: Installed - all four states agree. The Gateway packages show start: Staged, targeted: Staged despite limit: Installed.

The servicing stack somehow lost the feature selection state for RDS-Gateway during the 7462 to 32370 supersedence. The parent package correctly reported the role as Installed, but the Update-level planner resolved it to Staged with selected: Off. The old version was then unprojected and the new version inherited the broken Staged state, effectively removing a production RDS-Gateway role silently.Interested to know if anyone else has had this issue, or if Microsoft themselves are aware of it.

I have more logs available if needed.

Benjamin Krah 1 Reputation point

2026-02-27T09:06:25.3066667+00:00

Hi there,
we have similar issues with KB5075906 on Windows Server 2022 as well as additional issues on Windows Server 2025.

**KB5075906
**We installed the update on a 2022 Remote Desktop Connection Broker. After reboot, Server Manager is unable to retrieve the Connection Broker configuration (several errors regarding database access and asynchronous messages being overwritten) which leads to users having multiple sessions on several session hosts.
After uninstalling the update and rebooting, Server Manager is able to retrieve the configuration again and users get only one session again.

**KB5075899
**I am reinstalling a fresh server for the 4th time now, every time the same behaviour, regardless if the server is joined to a domain (where GPOs might cause issues) or stays in a workgroup.
The process "Windows Modules Installer Worker" constantly causes high CPU load and leads to a stalled Server Manager.

I cannot install any roles on this server unless I kill the process - but it immediately comes up again and resumes whatever it is doing.
Countless reboots or simply waiting for several hours did not help.

In this case I even cannot uninstall the update anymore as the process also blocks the uninstallation.
I will try a fresh installation now without any patches and give an update.

Best
Ben

1 answer

Your answer

Benjamin Krah 1 Reputation point

2026-02-27T09:06:25.3066667+00:00

Hi there,
we have similar issues with KB5075906 on Windows Server 2022 as well as additional issues on Windows Server 2025.

**KB5075906
**We installed the update on a 2022 Remote Desktop Connection Broker. After reboot, Server Manager is unable to retrieve the Connection Broker configuration (several errors regarding database access and asynchronous messages being overwritten) which leads to users having multiple sessions on several session hosts.
After uninstalling the update and rebooting, Server Manager is able to retrieve the configuration again and users get only one session again.

**KB5075899
**I am reinstalling a fresh server for the 4th time now, every time the same behaviour, regardless if the server is joined to a domain (where GPOs might cause issues) or stays in a workgroup.
The process "Windows Modules Installer Worker" constantly causes high CPU load and leads to a stalled Server Manager.

I cannot install any roles on this server unless I kill the process - but it immediately comes up again and resumes whatever it is doing.
Countless reboots or simply waiting for several hours did not help.

In this case I even cannot uninstall the update anymore as the process also blocks the uninstallation.
I will try a fresh installation now without any patches and give an update.

Best
Ben

Answer 1

Welcome to the Microsoft Q&A Platform!

Thank you for sharing your concern with us, what you have described is publicly reported and reproducible and especially your CBS analysis is extremely helpful. Based on your logs and the corroborating report:

KB5075899 supersedes Gateway packages (26100.7462 → 26100.32370)
The parent package state is preserved as Installed
But the update-level feature selection is incorrectly resolved to:
- start: Staged
- targeted: Staged
- selected: Off

The servicing stack then:

Unprojects the old Gateway components
Never reprojects the new ones
Leaves the role functionally removed without warning or error

This is not expected feature supersedence behavior. Other packages processed in the same servicing pass correctly retain start: Installed and targeted: Installed, as you observed.

1. Clarifications

This issue is not documented in the official KB5075899 Known Issues section

Reference: February 10, 2026—KB5075899 (OS Build 26100.32370) - Microsoft Support

No mitigation guidance published
No Servicing Stack Update (SSU) workaround exists (SSU is bundled)
Manual reinstallation of the Gateway role is currently the only recovery option

This strongly points to a Servicing Stack / CBS planner regression, not an RDS role issue.

2. Risk assessment

This is high‑impact because:

Happens silently
Breaks production ingress (RD Gateway)
Leaves no warning in Server Manager
Can affect security posture (lost CAP/RAP enforcement)
Requires manual reconfiguration

In enterprise RDS environments, this is patch‑blocking severity.

Recommendation

Pause KB5075899

Do not deploy to any additional Windows Server 2025 systems with:

RDS‑Gateway, RD Web + Gateway combined roles and Edge TLS bindings tied to Gateway

Pre‑patch validation script

Before applying updates, capture:

Get-WindowsFeature RDS-Gateway output, RD CAP/RAP exports and RD Gateway certificate bindings

Open a Microsoft support case

This issue warrants escalation. A support case will allow full review of CBS and servicing logs and help drive an official resolution, most likely via a future cumulative update or a Known Issue Rollback (KIR) from Microsoft.

Hope it helps a little bit. I hope you have a great day!

Share via

KB5075899 (Feb 2026) silently removes RDS-Gateway role on Windows Server 2025?

Environment

Symptoms

My Investigation

Evidence

1 answer

Your answer