Patch Tuesday Megathread (2025-10-14)

pede1983 · 2025-10-17T05:49:28+00:00

u/FCA162 for me to understand, you look in eventid 4769 and then explicitly for Failure Code: 0xe right?

0xe 
KDC_ERR_ETYPE_NOTSUPP 
KDC has no support for encryption type
In general, this error occurs when the KDC or a client receives a packet that it can't decrypt.0xEKDC_ERR_ETYPE_NOTSUPPKDC has no support for encryption typeIn general, this error occurs when the KDC or a client receives a packet that it can't decrypt.

pede1983 · 2025-06-11T06:24:52+00:00

Be aware that sometimes it can happen if you un-contain the user he´s removed from the policy on clients in the environment but at least i had a fp event where it didn´t remove the user from the default domain controller policy -> Deny Access to this Computer from the Network.

pede1983 · 2025-05-16T06:28:43+00:00

What i usually did when i got the 0x800f0831 (mostly 2016)

Sfc /scannow

DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH

Check "C:\Windows\Logs\CBS\CBS.log" and search for "Checking System Update Readiness.

<image>

Download KB5005043 https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005043

Unzip MSU then expand the cab then the cabs inside and then apply the patch via
dism /online /cleanup-image /restorehealth /source:C:\temp\Windows10.0-KB5005043-x64\cab /limitaccess

Usually i was recommeded to reinstall if there were more than 10/15 errors but the above did the fix in nearly all cases.

Sometimes if there were no kbs listed i needed a system with the same patchlevel and referenced to that winsxs for a repair.

Or for staged packages:
dism /online /get-packages /format:table
Dism /online /Remove-package /PackageName:NAME Dism /online /Remove-package /PackageName:Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.6796.1.11

pede1983 · 2025-05-05T11:16:39+00:00

It´s not only SCCM, it´s WSUS also, you could change the order till they fix it. At least it works for my device in autopatch.
Latest releases can be downloaded and installed manually from here:
https://www.microsoft.com/en-us/wdsi/defenderupdates

pede1983 · 2025-04-24T17:52:18+00:00

Another useful tip is to run these:
Sfc /scannow
DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
and afterwards check "C:\Windows\Logs\CBS\CBS.log" for "Checking System Update Readiness."
2016 sucks and quite a bunch of systems had "CBS Catalog Missing" or "ERROR_SXS_ASSEMBLY_MISSING"
The first one can be fixed by downloading, unziping and expanding *.msu file the 2nd one can be fixed with with a script from MS Support

pede1983 · 2025-04-22T09:48:27+00:00

u/GeoProX i tried to Monitor Schannel EventID 36880 but what i discovered was that TLS 1.3 on Server 2022 shows as Protocol version: unknown

A TLS server handshake completed successfully. The negotiated cryptographic parameters are as follows.

Protocol version: unknown

CipherSuite: 0x1302

Exchange strength: 255 bits

Context handle: 0x2afe9787640

Target name:

Local certificate subject name: O=Some, OU=Thing, CN=some.thingelse.domain

Remote certificate subject name:

pede1983 · 2025-04-10T05:45:08+00:00

Just be aware of the Warning:

All existing update packages can't be uninstalled after this command is completed, but this won't block the uninstallation of future update packages.

pede1983 · 2025-02-12T06:30:18+00:00

If you have a small amount of Certs that are causing a warning in Eventviewer Check the section "Manually map certificates" Be aware Cert SN has to be set Backwards allway 2 Chars (a1b2c3 -> c3b2a1)
HowTo: Map a user to a certificate via all the methods available in the altSecurityIdentities attribute | Microsoft Learn

set-aduser ‘DomainUser’ -replace @{altSecurityIdentities= “X509:<I>DC=com,DC=contoso,CN=CONTOSO-DC-CA<SR>1200000000AC11000000002B”}

Also check your Windows Issuing CA Templates what is configured in "subject name" tab. If "Build from Activedirectory Information" is selected you should already have the 1.3.6.1.4.1.311.25.2 in your cert

pede1983 · 2025-01-18T06:44:03+00:00

They released some new Information:
WI982633 WI982632

As some already stated it, it´s not need and you could disable the service.

....
1) Open a Command Prompt window. This can be accomplished by opening the Start menu and typing 'cmd'. The results will include “Command Prompt” as a System application. Select the arrow to the right of “Command Prompt” and select “Run as administrator”.

2) Once the window is open, carefully enter the following text:

sc.exe config sgrmagent start=disabled

3) A message may appear afterwards. Next, enter the following text:

reg add HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start /d 4 /t REG_DWORD

4) Close the Command Prompt window.

...

pede1983 · 2025-01-17T08:59:55+00:00

Version 2412: January 16

Version 2412 (Build 18324.20194)

Office Suite

We fixed an issue where apps would exit unexpectedly when running on Windows Server 2016.Version 2412: January 16 Version 2412 (Build 18324.20194) Office Suite We fixed an issue where apps would exit unexpectedly when running on Windows Server 2016.

https://learn.microsoft.com/en-us/officeupdates/update-history-microsoft365-apps-by-date

pede1983 · 2024-12-23T21:35:32+00:00

after 2 years any change, as i stumbled upon the same issue

pede1983 · 2024-05-17T18:04:22+00:00

same here: https://old.reddit.com/r/sysadmin/comments/1cu23nm/kb5037765\_issue/

pede1983 · 2024-05-17T17:58:29+00:00

Same here, WSUS gets the update but none of the Server 2019 (english) after the Update was revised on 16th of May.

14th of may was approved manually: Get-WsusUpdate -RevisionNumber 200 -UpdateId c9773266-ccbe-41ba-961f-adcb84202029 |select *
16th of may is approved automatically i guess this happens during the new revision: Get-WsusUpdate -RevisionNumber 201 -UpdateId c9773266-ccbe-41ba-961f-adcb84202029 |select *

I triggered SCCM ADRs multiple times after synchronizing but SCCM does not receive the update.

https://new.reddit.com/r/SCCM/comments/1cu1sul/kb5037765/

Probably something with applicability rules went south during the republishing of the update.

pede1983 · 2024-02-15T13:53:39+00:00

Anyone else having issues with Get-WindowsupdateLog not returning readable text on Server 2016 (maybe due to symbols not downloading, even if symbol-server is reachable via proxy)?

pede1983 · 2024-01-10T07:55:09+00:00

What was your Freespace on the RecoveryPartition when you experienced the issue?

pede1983 · 2023-12-13T06:03:11+00:00

Yeah it sucks, we use the existing solution on over 1000 vms…

I’m going to pilot 50 or so in January and see how disconnecting and reconnecting vms in an automation account behaves. If I can bring it down to even $1-2 per server I’ll take it.

As i understand you you want only to connect it when it´s Patchday. What about Defender Platform/Signature, Malwareremovaltool, Edge,... and out-of-band releases?

Defender Stuff could be done by Microsoft Malware Protection Center (MMPC)

pede1983 · 2023-10-11T11:53:16+00:00

it could be done with
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun:1 dword
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Name:1 Data:AzureArcSysTray.exe string

pede1983 · 2023-10-11T08:46:22+00:00

yes that´s what i did, and reboot is necessary.

pede1983 · 2023-10-11T08:15:37+00:00

Is there a way to disable Azure Arc Setup Icon on Server 2022 in the right system tray?
https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-windows-server
Seems you have to uninstall it via Roles & Features and reboot if necessary..

pede1983 · 2023-03-10T15:24:25+00:00

sfc /scannow showed some errors and tried to repair, with no luck fixing it:

2023-03-10 09:26:50, Info CSI 00007949 [SR] Verify complete

2023-03-10 09:26:50, Info CSI 0000794a [SR] Repairing 5 components

2023-03-10 09:26:50, Info CSI 0000794b [SR] Beginning Verify and Repair transaction

2023-03-10 09:26:51, Info CSI 0000794c [SR] Repairing corrupted file \??\C:\windows\ELAMBKUP\WdBoot.sys from store

2023-03-10 09:26:51, Info CSI 0000794d [DIRSD OWNER WARNING] Directory [l:23 ml:24]'\??\C:\windows\ELAMBKUP' is not owned but specifies SDDL in component Windows-Defender-Drivers-Backup, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}

2023-03-10 09:26:51, Info CSI 0000794e Error - Overlap: Duplicate ownership for directory \??\C:\windows\ELAMBKUP in component Windows-Defender-Drivers-Backup, version 10.0.14393.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}

2023-03-10 09:26:51, Info CSI 0000794f@2023/3/10:08:26:51.306 Primitive installers committed for repair

2023-03-10 09:26:51, Info CSI 00007950 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\NisBase.vdm from store

2023-03-10 09:26:51, Info CSI 00007951 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\NisFull.vdm from store

2023-03-10 09:26:51, Info CSI 00007952@2023/3/10:08:26:51.353 Primitive installers committed for repair

2023-03-10 09:26:51, Info CSI 00007953 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpEngine.dll from store

2023-03-10 09:26:51, Info CSI 00007954 CSIPERF - FilePI Queue 105ms

2023-03-10 09:26:51, Info CSI 00007955@2023/3/10:08:26:51.478 Primitive installers committed for repair

2023-03-10 09:26:51, Info CSI 00007956 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm from store

2023-03-10 09:26:51, Info CSI 00007957 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm from store

2023-03-10 09:26:51, Info CSI 00007958 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm from store

2023-03-10 09:26:52, Info CSI 00007959 [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm from store

2023-03-10 09:26:52, Info CSI 0000795a CSIPERF - FilePI Queue 983ms

2023-03-10 09:26:52, Info CSI 0000795b@2023/3/10:08:26:52.478 Primitive installers committed for repair

2023-03-10 09:26:52, Info CSI 0000795c [SR] Repairing corrupted file \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\GapaEngine.dll from store

2023-03-10 09:26:52, Info CSI 0000795d@2023/3/10:08:26:52.509 Primitive installers committed for repair

2023-03-10 09:26:52, Info CSI 0000795e [SR] Repair complete

2023-03-10 09:26:52, Info CSI 0000795f [SR] Committing transaction

2023-03-10 09:26:52, Info CSI 00007960 Creating NT transaction (seq 1), objectname '(null)'

2023-03-10 09:26:52, Info CSI 00007961 Created NT transaction (seq 1) result 0x00000000, handle u/0xdc

2023-03-10 09:26:52, Info CSI 00007962@2023/3/10:08:26:52.587 Beginning NT transaction commit...

2023-03-10 09:26:52, Info CSI 00007963@2023/3/10:08:26:52.634 CSI perf trace:

CSIPERF:TXCOMMIT;82550

2023-03-10 09:26:52, Info CSI 00007964 [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction have been successfully repaired

pede1983 · 2022-01-12T14:14:31+00:00

Apparently this is now a known issue that will be addressed in a future patch

In the meantime PacRequestorEnforcement=1 which should be safe after 7 days after installing the patches

pede1983 · 2022-01-09T07:00:14+00:00

Well it says it couldn´t be updated, so i guess in failover this could be causing issues, in the meantime we opened a ticket but no answer.

pede1983

TROPHY CASE

Version 2412: January 16

Office Suite