Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Find information on recently resolved issues for Windows Server 2022. To find a specific issue, use the search function on your browser (CTRL + F for Microsoft Edge). For immediate help with Windows update issues, click here if you are using a Windows device to open the Get Help app or go to support.microsoft.com. Follow @WindowsUpdate on X (formerly Twitter) for Windows release health updates. If you are an IT administrator and want to programmatically get information from this page, use the Windows Updates API in Microsoft Graph.
Resolved issues
| Summary | Originating update | Status | Date resolved |
|---|---|---|---|
| The April 2025 Windows RE update might show as unsuccessful in Windows Update Users might observe installation failure while trying to install the WinRE update which resolves after device restarts. | N/A KB5057588 2025-04-08 | Resolved KB5063522 | 2025-07-08 10:00 PT |
| Logon might fail with Windows Hello in Key Trust mode and log Kerberos Events The April 2025 update may trigger behavior in domain controllers that logs Kerberos event IDs 45 and 21 | OS Build 20348.3453 KB5055526 2025-04-08 | Resolved KB5060526 | 2025-06-10 10:00 PT |
| August 2024 security update might impact Linux boot in dual-boot setup devices This issue might impact devices with dual-boot setup for Windows and Linux when SBAT setting is applied | OS Build 20348.2655 KB5041160 2024-08-13 | Resolved KB5058385 | 2025-05-13 10:00 PT |
| Apps or devices might be unable to create Netlogon secure channel connections Scenarios which rely on synthetic RODC machine accounts might fail if they do not have a linked KRBTGT account. | OS Build 20348.469 KB5009555 2022-01-11 | Resolved External | 2024-08-20 16:29 PT |
| Devices might boot into BitLocker recovery with the July 2024 security update This issue is more likely to affect devices that have the Device Encryption option enabled | OS Build 20348.2582 KB5040437 2024-07-09 | Resolved KB5041160 | 2024-08-13 10:00 PT |
| Printing jobs using LPD protocol might fail with the July 2024 security update Issue was reported by organizations after installing the Windows July security update | OS Build 20348.2582 KB5040437 2024-07-09 | Resolved KB5041160 | 2024-08-13 10:00 PT |
| Network data reporting from Microsoft 365 Defender may be interrupted Other Defender features are unaffected. Information can be seen on the Microsoft 365 admin center service health page | OS Build 20348.2527 KB5039227 2024-06-11 | Resolved KB5041160 | 2024-08-13 10:00 PT |
| CrowdStrike issue impacting Windows endpoints causing an error message Affected systems might restart repeatedly and require recovery operations in order to restore normal use. | N/A | Resolved External | 2024-08-05 16:07 PT |
| Synapse SQL Serverless Pool databases go on "Recovery pending" state Issue affects cloud-based SQL servers with the Windows June 2024 security update installed | OS Build 20348.2527 KB5039227 2024-06-11 | Resolved KB5041054 | 2024-06-20 14:00 PT |
Issue details
May 2025
Logon might fail with Windows Hello in Key Trust mode and log Kerberos Events
| Status | Originating update | History |
|---|---|---|
| Resolved KB5060526 | OS Build 20348.3453 KB5055526 2025-04-08 | Resolved: 2025-06-10, 10:00 PT Opened: 2025-05-06, 13:25 PT |
After installing the April Windows monthly security update released April 8, 2025 (KB5055523) or later, Active Directory Domain Controllers (DC) might experience authentication interruptions when processing Kerberos logons or delegations using certificate-based credentials that rely on key trust via the Active Directory msds-KeyCredentialLink field.
Following these updates, the method by which DCs validate certificates used for Kerberos authentication has changed, and will now require that certificates are chained to an issuing certificate authority (CA) in the NTAuth store. This is related to security measures described in KB5057784 - Protections for CVE-2025-26647 (Kerberos Authentication). As a result, authentication failures might be observed in Windows Hello for Business (WHfB) Key Trust environments or environments that have deployed Device Public Key Authentication (also known as Machine PKINIT). Other products which rely on this feature can also be impacted.
Enablement of this validation method can be controlled by the Windows registry value AllowNtAuthPolicyBypass in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc. Two scenarios can be observed following installation of the April 2025 Windows monthly security update on authenticating DCs:
- When registry value AllowNtAuthPolicyBypass is unconfigured or set to "1", Kerberos-Key-Distribution-Center event ID 45 is repeatedly recorded in the DC system event log, with text similar to "The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to an Issuing CA in the NTAuth store". This is a new event, intentionally logged by DCs servicing authentication requests using unsafe certificates. Although this event may be logged excessively, please note that related logon operations are otherwise successful, and no other change is observed outside of these event log records.
- When registry value AllowNtAuthPolicyBypass is set to "2", self-signed certificate-based authentication fails. Kerberos-Key-Distribution-Center event ID 21 is recorded in the DC system event log. This is a legacy event logged when certificate-based authentication fails, and is intentionally logged when a DC services an authentication request using an unsafe certificate. The event description text for this event may vary.
Note that if the AllowNtAuthPolicyBypass registry key does not exist, the DC will behave as if the value is configured to “1”. The key may be created manually, if it does not exist, and configured as per above.
Windows Updates released on and after April 8, 2025 incorrectly log Event IDs 45 and 21 when servicing authentication requests using self-signed certificates that will never chain to a CA in the NTAuth store. Self-signed certificates may be used by the AD PKINIT Key Trust feature in the following scenarios:
- Windows Hello for Business (WHfB) Key Trust deployments
- Device Public Key Authentication (also known as Machine PKINIT).
- Other scenarios that rely on the msds-KeyCredentialLink field, such as smart card products, third-party single sign-on (SSO) solutions, and identity management systems.
Resolution: This issue was resolved by Windows updates released June 10, 2025 (KB5060526), and later. We recommend you install the latest security update for your device as it contains important improvements and issue resolutions, including this one.
If you install an update released June 10, 2025 or later, you do not need to use a workaround for this issue. If you are using an update released before this date and have this issue, you should temporarily delay setting a value of ‘2’ to registry key AllowNtAuthPolicyBypass on updated DCs servicing self-signed certificate-based authentication. For more information, see the Registry Settings section of KB5057784.
Affected platforms:
- Client: None
- Server: Windows Server 2025; Windows Server 2022; Windows Server 2019; Windows Server 2016
April 2025
The April 2025 Windows RE update might show as unsuccessful in Windows Update
| Status | Originating update | History |
|---|---|---|
| Resolved KB5063522 | N/A KB5057588 2025-04-08 | Resolved: 2025-07-08, 10:00 PT Opened: 2025-04-11, 17:03 PT |
After installing the April 2025 Windows Recovery Environment update [KB5057588], you might see the following error message in the Windows Update settings page: 0x80070643 – ERROR_INSTALL_FAILURE. This error message is not accurate and does not impact the update or device functionality. The Windows Recovery Environment (WinRE) is a recovery environment that can repair common causes of unbootable operating systems.
This error is observed when the device installs the WinRE update when there is another update in a pending reboot state. Although the error message suggests the update did not complete, the WinRE update is typically applied successfully after the device restarts. Windows Update might continue to display the update as failed until the next daily scan, at which point the update is no longer offered and the failure message is cleared automatically.
Resolution:
The ERROR_INSTALL_FAILURE error message that was previously observed with KB5057588 installed before 2 PM PT on April 21, 2025 has been resolved with the Windows update released July 8, 2025 (KB5063522). We recommend you install the latest update for your device as it contains important improvements and issue resolutions.
Please note: This update does not remove the incorrect error message which might still appear in the Windows Update History page.
Users who installed KB5057588 after 2 PM PT on April 21, 2025, should not observe the incorrect error message about the install failure. If the update is already installed, it will not be offered again, and the status of this update can be verified with the Dism /Online /Get-Packages command.
Affected platforms:
- Client: Windows 10, version 22H2; Windows 10, version 21H2
- Server: Windows Server 2022
August 2024
August 2024 security update might impact Linux boot in dual-boot setup devices
| Status | Originating update | History |
|---|---|---|
| Resolved KB5058385 | OS Build 20348.2655 KB5041160 2024-08-13 | Resolved: 2025-05-13, 10:00 PT Opened: 2024-08-21, 18:33 PT |
After installing the August 2024 Windows security update, (KB5041160) or the August 2024 preview update, you might face issues with booting Linux if you have enabled the dual-boot setup for Windows and Linux in your device. Resulting from this issue, your device might fail to boot Linux and show the error message “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”
The August 2024 Windows security and preview updates apply a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old, vulnerable boot managers. This SBAT update will not be applied to devices where dual booting is detected. On some devices, the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied.
IMPORTANT: This known issue only occurs with the installation of the August 2024 security and preview updates. The September 2024 security update and later updates do not contain the settings that caused this issue.
Resolution: This issue was resolved by Windows updates released May 13, 2025 (KB5058385), and later. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.
Note: On Windows-only systems, after installing the September 2024 or later updates, you can set the registry key documented in CVE-2022-2601 and CVE-2023-40547 to ensure the SBAT security update is applied. On systems that dual-boot Linux and Windows, there are no additional steps necessary after installing the September 2024 or later updates.
Affected platforms:
- Client: Windows 11, version 23H2; Windows 11, version 22H2; Windows 11, version 21H2; Windows 10, version 22H2; Windows 10, version 21H2; Windows 10 Enterprise 2015 LTSB
- Server: Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Printing jobs using LPD protocol might fail with the July 2024 security update
| Status | Originating update | History |
|---|---|---|
| Resolved KB5041160 | OS Build 20348.2582 KB5040437 2024-07-09 | Resolved: 2024-08-13, 10:00 PT Opened: 2024-08-09, 16:46 PT |
After installing the July 2024 Windows security update, released July 9, 2024 (KB5040437), and later updates, you might encounter issues when trying to print documents using the Line Printer Daemon (LPD) protocol, which is a deprecated protocol.
People using Home or Pro editions of Windows for personal use are unlikely to face this issue as the LDP is a protocol used more often by IT departments to receive a print job on a printer or a server.
Note: The Line Printer Daemon protocol (LPR/LPD) is deprecated. When this feature is eventually removed, clients that print to a server using this protocol, such as UNIX clients, will not be able to connect or print. Instead, UNIX clients should use IPP. Windows clients can connect to UNIX shared printers using the Windows Standard Port Monitor.
Resolution: This issue is resolved by the Windows August 2024 security updates released August 13, 2024 (KB5041160), and later updates. We recommend you install the latest update for your device. It contains important improvements and issue resolutions, including this one.
Affected platforms:
- Client: None
- Server: Windows Server 2022; Windows Server 2019; Windows Server 2016
July 2024
Devices might boot into BitLocker recovery with the July 2024 security update
| Status | Originating update | History |
|---|---|---|
| Resolved KB5041160 | OS Build 20348.2582 KB5040437 2024-07-09 | Resolved: 2024-08-13, 10:00 PT Opened: 2024-07-23, 13:57 PT |
After installing the July 2024 Windows security update, released July 9, 2024 (KB5040437), you might see a BitLocker recovery screen upon booting your device. This screen does not commonly appear after a Windows update. You are more likely to face this issue if you have the Device Encryption option enabled in Settings under Privacy & Security -> Device encryption. Resulting from this issue, you might be prompted to enter the recovery key from your Microsoft account to unlock your drive.
Resolution: This issue was resolved by Windows updates released August 13, 2024 (KB5041160), and later. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.
If you install an update released August 13, 2024 (KB5041160) or later, you do not need to use a workaround for this issue. If you are using an update released before August 13, 2024, and have this issue, your device should proceed to start up normally from the BitLocker recovery screen once the recovery key has been entered. You can retrieve the recovery key by logging into the BitLocker recovery screen portal with your Microsoft account. Detailed steps for finding the recovery key are listed here: Finding your BitLocker recovery key in Windows.
Affected platforms:
- Client: Windows 11 version 23H2, Windows 11 version 22H2, Windows 11 version 21H2, Windows 10 version 22H2, Windows 10 version 21H2, Windows 10 Enterprise 2015 LTSB
- Server: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008
Network data reporting from Microsoft 365 Defender may be interrupted
| Status | Originating update | History |
|---|---|---|
| Resolved KB5041160 | OS Build 20348.2527 KB5039227 2024-06-11 | Resolved: 2024-08-13, 10:00 PT Opened: 2024-07-12, 16:04 PT |
Devices which have installed Windows Server updates released June 11, 2024 (KB5039227) might experience problems with Microsoft 365 Defender. The Network Detection and Response (NDR) service might encounter issues, resulting in an interruption of network data reporting.
IT administrators may confirm they’re affected by this issue with a notification that appears in the service health page, located in the Microsoft 365 admin center. The status of NDR can also be seen in the service health page.
Please note that although this interruption can hinder certain Defender features such as Device Inventory and Incident Response, other functionality – such as Vulnerability Management and Cloud Apps – should continue to operate as expected.
Resolution: This issue was resolved by Windows updates released August 13, 2024 (KB5041160), and later. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.
Affected platforms:
- Client: None
- Server: Windows Server 2022
CrowdStrike issue impacting Windows endpoints causing an error message
| Status | Originating update | History |
|---|---|---|
| Resolved External | N/A | Last updated: 2024-08-05, 16:07 PT Opened: 2024-07-19, 07:30 PT |
Microsoft has identified an issue impacting Windows endpoints which are running the CrowdStrike Falcon agent, developed by CrowdStrike Holdings. Following updates released and delivered by CrowdStrike on July 18, 2024, devices running the Falcon agent may encounter an error message on a blue screen and experience a continual restarting state.
Affected systems might restart repeatedly and require recovery operations in order to restore normal use.
Updated July 25, 2024: Microsoft released further guidance on Windows resiliency: Best practices and the path forward. Read more about how we are working in close cooperation to improve resiliency across the Windows ecosystem and explore best practices you can use to support resiliency in your organization.
Updated July 22, 2024: Microsoft has released a third mitigation option for this issue impacting Windows clients and servers. If devices are unable to recover with the two previous options mentioned below, IT admins can use PXE to remediate. See the revised New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints for detailed instructions on prerequisites and configurations to use PXE Recovery.
Updated July 21, 2024: As a follow-up to the CrowdStrike Falcon agent issue impacting Windows clients and servers, Microsoft has released an updated recovery tool with two repair options to help IT admins expedite the repair process. Based on customer feedback, this new release includes a new option for recovery using safe boot, the option to generate ISO or USB, a fix for ADK detection when the Windows Driver Kit is installed, and a fix for the USB disk size check. See the revised New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints for detailed instructions on using the signed Microsoft Recovery Tool.
Updated July 20, 2024: Microsoft has released KB5042426, which contains step-by-step guidance for Windows Servers hosted on-premises that are running the CrowdStrike Falcon agent and encountering a 0x50 or 0x7E error message on a blue screen. We will continue to work with CrowdStrike to provide the most up-to-date information available on this issue.
A new USB Recovery Tool is available to help IT admins expedite the repair process. The new tool can be found in the Microsoft Download Center. Read more about the new recovery tool and usage instructions at New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints.
Updated July 19, 2024: A new Knowledge Base article, KB5042421, with additional step-by-step guidance for Windows 11 and Windows 10 clients is now available. We will continue to work with CrowdStrike to provide up-to-date mitigation information as it becomes available.
To mitigate this issue ahead of additional resolution options, you can follow these steps:
- Start Windows into Safe Mode or the Windows Recovery Environment.
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys” and delete it.
- Restart the device.
- Recovery of systems requires a Bitlocker key in some cases.
For Windows Virtual Machines running on Azure follow the mitigation steps in Azure status.
Additional details from CrowdStrike are available here: Statement on Windows Sensor Update - CrowdStrike Blog.
Affected platforms:
- Client: Windows 11, version 23H2; Windows 11, version 22H2; Windows 11, version 21H2; Windows 10, version 22H2; Windows 10, version 21H2; Windows 10 Enterprise LTSC 2019
- Server: Windows Server 2022; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
June 2024
Synapse SQL Serverless Pool databases go on "Recovery pending" state
| Status | Originating update | History |
|---|---|---|
| Resolved KB5041054 | OS Build 20348.2527 KB5039227 2024-06-11 | Resolved: 2024-06-20, 14:00 PT Opened: 2024-06-17, 17:21 PT |
Following the installation of the Windows security update released June 11, 2024 (KB5039227), you might see an issue on cloud-based SQL servers where Azure Synapse SQL Serverless Pool databases go on "Recovery pending" state. This issue is more likely to affect environments utilizing Customer-Managed Key (CMK) and Azure Synapse dedicated SQL pool.
Resolution: This issue was resolved in the out-of-band (OOB) update KB5041054, which is only available via the Microsoft Update Catalog. Since this is a cumulative update, you do not need to apply any previous update before installing KB5041054, as it supersedes all previous updates for affected versions. Installation of this OOB will require a device restart. If your organization uses the affected platforms and hasn’t yet deployed the June 2024 Windows security update yet, we recommend you apply this OOB update instead.
In addition, a resolution was rolled out on the service-side to enterprises using Azure SQL. If your organization is still observing this issue, please reach out to Support for business.
Affected platforms:
- Server: Windows Server 2022; Azure Stack HCI, version 22H2
- Client: None
February 2022
Apps or devices might be unable to create Netlogon secure channel connections
| Status | Originating update | History |
|---|---|---|
| Resolved External | OS Build 20348.469 KB5009555 2022-01-11 | Last updated: 2024-08-20, 16:29 PT Opened: 2022-02-24, 17:25 PT |
After installing KB5009555 or any updates released January 11, 2022 and later on your domain controllers, scenarios which rely on Read-only domain controllers (RODCs) or synthetic RODC machine accounts might fail to establish a Netlogon secure channel. RODC accounts must have a linked and compliant KRBTGT account to successfully establish a secure channel. Affected applications or network appliances, such as Riverbed SteelHead WAN Optimizers, might have issues joining domains or limitations after joining a domain.
Next Steps: Affected apps and network appliances will need an update from their developer or manufacturer to resolve this issue. Microsoft has provided the following documentation regarding devices from Riverbed Technology that are configured as RODCs: Information about devices from Riverbed Technology that are configured as RODCs. For further details or resolution guidance applicable to other network devices, contact the developer or manufacturer of the device.
Affected platforms:
- Server: Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Report a problem with Windows updates
To report an issue to Microsoft at any time, use the Feedback Hub app. To learn more, see Send feedback to Microsoft with the Feedback Hub app.
Need help with Windows updates?
Search, browse, or ask a question on the Microsoft Support Community. If you are an IT pro supporting an organization, visit Windows release health on the Microsoft 365 admin center for additional details.
For direct help with your home PC, use the Get Help app in Windows or contact Microsoft Support. Organizations can request immediate support through Support for business.
View this site in your language
This site is available in 11 languages: English, Chinese Traditional, Chinese Simplified, French (France), German, Italian, Japanese, Korean, Portuguese (Brazil), Russian, and Spanish (Spain). All text will appear in English if your browser default language is not one of the 11 supported languages. To manually change the display language, scroll down to the bottom of this page, click on the current language displayed on the bottom left of the page, and select one of the 11 supported languages from the list.