cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
WMSVC (Web Management Service) Failing to start with "Access Denied" or error code '5' on WS2019
By
MattHamrick
Published Jul 23 2019 02:20 PM 14.8K Views
MattHamrick
Microsoft
‎Jul 23 2019 02:20 PM

WMSVC (Web Management Service) Failing to start with "Access Denied" or error code '5' on WS2019

‎Jul 23 2019 02:20 PM

If that "Block untrusted fonts" policy has been enabled, then there's a known issue that denies the Web Management Service from starting. This is only on Windows Server 2019 as of now.

 

The issue has been fixed in Windows Server v1903 (the semi-annual channel) and will not occur on that or newer OSes. It also does not occur on Windows Server 2016.

 

If the policy has not been enabled, then this post does not apply to your scenario.

There have been some support cases where having that specific policy "Not configured" or even "Disabled" still results in WMSVC failing to start with the same error. If you do not have this policy enabled but are still experiencing this problem, then go through the steps to disable it via the registry on the policy page linked at the bottom of this post. The instructions are copied here for brevity (I've colored in red and italicized the value you want to set in the registry) - make sure to run-through this in its entirety:

---

To turn on and use the Blocking Untrusted Fonts feature through the registry To turn this feature on, off, or to use audit mode:

  1. Open the registry editor (regedit.exe) and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\.

  2. If the MitigationOptions key isn't there, right-click and add a new QWORD (64-bit) Value, renaming it to MitigationOptions.

  3. Right click on the MitigationOptions key, and then click Modify.

    The Edit QWORD (64-bit) Value box opens.

  4. Make sure the Base option is Hexadecimal, and then update the Value data, making sure you keep your existing value, like in the important note below:

    • To turn this feature on. Type 1000000000000.

    • To turn this feature off. Type 2000000000000.

    • To audit with this feature. Type 3000000000000.

       Important

      Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000.

  5. Restart your computer.

---

 

The fix for this issue has been backported to WS2019 via KB 5011551 (h/t @Dave_Dietz!)

 

Side notes:

That policy has not been recommended since 2017:
https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting...

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font...

 

With the policy enabled, there will be nothing logged in Event Viewer (see the policy for logging info) to indicate WMSVC.exe was blocked from starting.

 

Policy:

https://docs.microsoft.com/en-us/windows/security/threat-protection/block-untrusted-fonts-in-enterpr...

2 Comments
Co-Authors
Version history
Last update:
‎Oct 18 2022 02:15 PM
Updated by: