rss.livelink.threads-in-node

Windows server 2025 Application Crashing Events

efpan — Thu, 04 Jun 2026 11:39:39 GMT

I have installed a Windows Server 2025 and after starting it in about 30 minutes the following error appears in the Windows application log .

=======================================

Log Name: Application

Source: Application Error

Date: 4/6/2026 1:51:06 μμ

Event ID: 1000

Task Category: Application Crashing Events

Level: Error

Keywords:

User: SERVER\Administrator

Computer: SERVER.efarmacy.internal

Description:

Faulting application name: backgroundTaskHost.exe, version: 10.0.26100.1, time stamp: 0x5bc61463

Faulting module name: biwinrt.dll, version: 10.0.26100.32230, time stamp: 0xb950595a

Exception code: 0xc000027b

Fault offset: 0x0000000000012713

Faulting process id: 0x1964

Faulting application start time: 0x1DCF4100B5B371A

Faulting application path: C:\WINDOWS\system32\backgroundTaskHost.exe

Faulting module path: C:\Windows\System32\biwinrt.dll

Report Id: a0fa5d15-b026-4d12-a047-d965195ac338

Faulting package full name: MicrosoftWindows.Client.CBS_1000.26100.275.0_x64__cw5n1h2txyewy

Faulting package-relative application ID: Global.Accounts

Event Xml:

<Channel>Application</Channel>

<Computer>SERVER.efarmacy.internal</Computer>

</System>

<Data Name="AppName">backgroundTaskHost.exe</Data>

<Data Name="ModuleName">biwinrt.dll</Data>

<Data Name="AppPath">C:\WINDOWS\system32\backgroundTaskHost.exe</Data>

<Data Name="ModulePath">C:\Windows\System32\biwinrt.dll</Data>

<Data Name="PackageFullName">MicrosoftWindows.Client.CBS_1000.26100.275.0_x64__cw5n1h2txyewy</Data>

<Data Name="PackageRelativeAppId">Global.Accounts</Data>

</EventData>

</Event>

===========================================

I have already done the actions to check the files. The check does not find any problems but the problem continues to appear.

"DISM.exe /Online /Cleanup-image /Restorehealth"

"sfc /scannow".

I would like to know if anyone else has faced this problem and if there is a solution for it.

Thanks in advance .

Remote desktop app hangs when opening a new process

ClayFrie — Mon, 01 Jun 2026 14:42:00 GMT

I have a windows remote desktop server, windows server 2022. We have a few programs we allow access to people published as remote apps. One of the programs exports to Excel by opening excel, creates the workbook/worksheet, but the window does not show and the program hangs waiting for excel to close. The user can't see excel and therefore can't close excel so they are stuck. as an admin, I can connect to the remote desktop server and end task on their excel instance and then they can continue working.

Is there a way to allow the excel window to show when opened by a remote app?

We prefer to only allow our users access to the one app they need to run instead of a desktop.

Windows Server Datacenter: Azure Edition preview build 29595 now available in Azure

StaceyCL_RM — Wed, 27 May 2026 19:16:12 GMT

Hello Windows Server Insiders!

We welcome you to try Windows Server vNext Datacenter: Azure Edition preview build 29595 in both Desktop experience and Core version on the Microsoft Server Operating Systems Preview offer in Azure. Azure Edition is optimized for operation in the Azure environment. For additional information, see Preview: Windows Server VNext Datacenter (Azure Edition) for Azure Automanage on Microsoft Docs. For more information about this build, see Announcing Windows Server vNext Preview Build 29595 | Microsoft Community Hub.

Announcing Windows Server vNext Preview Build 29595

StaceyCL_RM — Tue, 26 May 2026 17:02:07 GMT

Hello Windows Server Insiders!

Today we are pleased to release a new build of the next Windows Server Long-Term Servicing Channel (LTSC) Preview that contains both the Desktop Experience and Server Core installation options for Datacenter and Standard editions and Azure Edition (for VM evaluation only). Branding remains Windows Server 2025 in this preview - when reporting issues please refer to Windows Server vNext preview.

Build 29531 established a new Server preview baseline build. Please perform a clean install of Build 29531 (or later) using the installation media linked below.

Please note: Upgrades from Windows Server vNext preview builds older than 29531 are not supported. We encourage all Windows Server vNext preview users to perform a clean install using 29531 or later to successfully upgrade to future Windows Server vNext preview builds.

While upgrades from earlier Windows Server previews (Build 26525 and older) are not technically blocked by setup.exe, a number of known issues have been identified related to upgrades necessitating the establishment of a new baseline build for our Server vNext Preview Program.
The new baseline build (29531) will not be Flighted due to upgrade issues. Flighting support resumed with preview build 29550 or later.

What's New

Quick Machine Recovery available in Windows Server vNext Insider Previews.

Quick machine recovery (QMR) is now available for Server vNext Insiders to test. This feature enables the recovery of Windows Server devices when they encounter boot critical errors that prevent them from booting. QMR can automatically search for cloud‑based remediations to recover from widespread boot failures significantly reducing the burden on IT administrators when multiple devices are impacted. This supports the goals of the Windows Resiliency Initiative by enabling applicable fixes to be delivered through trusted Windows Update to restore affected devices, helping reduce downtime and minimize manual recovery efforts across enterprise environments.

This feature is currently enabled in the latest Server vNext Insider builds for customers to experience test mode. A Group Policy option to enable or disable the feature will be introduced in upcoming builds to provide additional administrative control.

To simulate the quick machine recovery experience, use the following commands from an elevated command prompt:

1. Enable test mode:

reagentc.exe /SetRecoveryTestmode

2. Configure Windows to boot to Windows Recovery Environment on the next boot:

reagentc.exe /BootToRe

3. Reboot your device. The system goes through autoremediation of a simulated crash safely and reboots back to Windows Server.

For more information, please review Quick machine recovery (QMR) and Windows Resiliency Initiative. When providing feedback using Feedback hub, please select QMR from the Recovery and Uninstall category in the app.

NVMe-over-Fabrics (NVMe-oF) extends the NVMe protocol—originally designed for local PCIe-attached SSDs—across a network fabric. Instead of using legacy SCSI-based protocols such as iSCSI or Fibre Channel, NVMe-oF allows a host to communicate directly with remote NVMe controllers using the same NVMe command set used for local devices. In this Insider build, Windows Server supports:

NVMe-oF over TCP (NVMe/TCP), allowing NVMe-oF to run over standard Ethernet networks without specialized hardware.
NVMe-oF over RDMA (NVMe/RDMA), enabling low-latency, high-throughput NVMe access over RDMA-capable networks (for example, RoCE or iWARP) using supported RDMA NICs.

For more information, please visit: Introducing the Windows NVMe-oF Initiator Preview in Windows Server Insiders Builds | Microsoft Community Hub

ReFS Boot is enabled for Windows Server vNext preview builds.

Known Limitations

ReFS Boot systems create a minimum 2GB WinRE partition.
When WinRE cannot be updated due to space constraints, the system may disable WinRE. Disabling WinRE does not remove the partition.
If the WinRE partition is deleted and the boot volume is extended over it, this operation is unrecoverable without a clean install.

For more information, please visit: Resilient File System (ReFS) overview | Microsoft Learn

Feedback Hub app is available for Server Desktop users!  The app should automatically update with the latest version, but if it does not, simply Check for updates in the app’s settings tab.

Known Issues

Server Core Upgrades and AppCompat FOD: Enabling AppCompat FOD after reinstall may fail due to legacy 3rd-party license compatibility issues on Server Core devices. Server Core users may be unable to install the latest AppCompat FOD after upgrading to build 29574. This appears to be limited to Server Core installations with 3rd-party application licenses that fail compatibility checks after upgrade. This will be addressed in a future build.

Upgrading from older builds of Windows Server vNext previews (26525 or older) are not supported. Please perform a clean install of build 29531 or later. Users may experience failures when attempting to upgrade from earlier previews (build 26525 and older). VMs may fail to upgrade or start after upgrade from older preview builds impacting live migration and failover cluster scenarios.

Download Windows Server Insider Preview (microsoft.com) Flighting: The label for this flight may incorrectly reference Windows 11. However, when selected, the package installed is the Windows Server vNext update. Please ignore the label and proceed with installing your flight. This issue will be addressed in a future release.

Available Downloads

Downloads to certain countries may not be available. See Microsoft suspends new sales in Russia - Microsoft On the Issues.

Windows Server Long-Term Servicing Channel Preview in ISO format in 18 languages, and in VHDX format in English only. 
Windows Server Datacenter Azure Edition Preview in ISO and VHDX format, English only.
Microsoft Server Languages and Optional Features Preview

 Keys: Keys are valid for preview builds only 

Server Standard: MFY9F-XBN2F-TYFMP-CCV49-RMYVH
Datacenter: 2KNJJ-33Y9H-2GXGX-KMQWH-G6H67
Azure Edition does not accept a key.

Symbols:  Available on the public symbol server – see Using the Microsoft Symbol Server. 

Expiration: This Windows Server Preview will expire September 15, 2026.

How to Download

Registered Insiders may navigate directly to the Windows Server Insider Preview download page. If you have not yet registered as an Insider, see GETTING STARTED WITH SERVER on the Windows Insiders for Business portal.

We value your feedback!

The most important part of the release cycle is to hear what's working and what needs to be improved, so your feedback is extremely valued. Please use the new Feedback Hub app for Windows Server if you are running a Desktop version of Server. If you are using a Core edition, or if you are unable to use the Feedback Hub app, you can use your registered Windows 10 or Windows 11 Insider device and use the Feedback Hub application.  In the app, choose the Windows Server category and then the appropriate subcategory for your feedback. In the title of the Feedback, please indicate the build number you are providing feedback on as shown below to ensure that your issue is attributed to the right version:

     [Server #####] Title of my feedback

See Give Feedback on Windows Server via Feedback Hub for specifics.

The Windows Server Insiders space on the Microsoft Tech Communities supports preview builds of the next version of Windows Server. Use the forum to collaborate, share and learn from experts.  For versions that have been released to general availability in market, try the Windows Server for IT Pro forum or contact Support for Business.

Diagnostic and Usage Information

Microsoft collects this information over the internet to help keep Windows secure and up to date, troubleshoot problems, and make product improvements. Microsoft server operating systems can be configured to turn diagnostic data off, send Required diagnostic data, or send Optional diagnostic data. During previews, Microsoft asks that you change the default setting to Optional to provide the best automatic feedback and help us improve the final product.

Administrators can change the level of information collection through Settings. For details, see http://aka.ms/winserverdata. Also see the Microsoft Privacy Statement.

Terms of Use

This is pre-release software - it is provided for use "as-is" and is not supported in production environments. Users are responsible for installing any updates that may be made available from Windows Update. All pre-release software made available to you via the Windows Server Insider program is governed by the Insider Terms of Use.

Creating parent reverse lookup zone when child zones already exist — what happens?

pa5424847 — Tue, 26 May 2026 00:09:52 GMT

We have an AD-integrated DNS environment that has accumulated a large number of reverse lookup zones over time, created without any parent zone — essentially DNS sprawl from years of admins creating individual subnet zones rather than working from a parent.

We currently have approximately 80+ reverse lookup zones including:

Dozens of x.10.in-addr.arpa zones covering various 10.x.x.x subnets
Multiple x.172.in-addr.arpa zones
A handful of others including 100.192.10.in-addr.arpa, 168.192.in-addr.arpa, 204.167.in-addr.arpa, 215.204.167.in-addr.arpa, 135.7.in-addr.arpa

None of these were ever delegated from a parent zone — they were just created independently. The 10.in-addr.arpa zone does not exist.

Domain controllers are a mix of Windows Server 2019 Standard (majority) and Windows Server 2025 Standard.

Our goal is to create 10.in-addr.arpa as the consolidation point going forward — new registrations go there, and we migrate existing child zones into it one at a time, deleting old ones as we go at a pace we're comfortable with.

Before touching anything, we need to understand what creating 10.in-addr.arpa will actually do to the existing child zones.

Specifically:

Will existing records in the child zones be deleted? We've seen the TechNet article documenting records vanishing when creating a child zone under an existing parent — does the same destructive behaviour occur in the reverse direction?
Will auto-delegations be created in the new parent zone pointing to the existing child zones, and if so how quickly?
Will the child zones continue to function normally for queries while the parent exists alongside them?
Will dynamic registration start hitting the parent zone for subnets not covered by an existing child zone, or will something unexpected happen?

We can't test this in a lab as we don't have a replica environment available, and can't risk touching production without understanding the behaviour first. Pointers to any documentation covering this specific scenario would also be appreciated — we've been unable to find anything that addresses creating the parent after the children already exist independently.

Windows Server Datacenter: Azure Edition preview build 29585 now available in Azure

StaceyCL_RM — Fri, 15 May 2026 20:38:42 GMT

Hello Windows Server Insiders!

We welcome you to try Windows Server vNext Datacenter: Azure Edition preview build 29585 in both Desktop experience and Core version on the Microsoft Server Operating Systems Preview offer in Azure. Azure Edition is optimized for operation in the Azure environment. For additional information, see Preview: Windows Server VNext Datacenter (Azure Edition) for Azure Automanage on Microsoft Docs. For more information about this build, see Announcing Windows Server vNext Preview Build 29585 | Microsoft Community Hub.

Entra Connect

Bridgman1 — Thu, 14 May 2026 14:26:07 GMT

Is user writeback available?

What about group writeback?

Devices Writeback?

How to use / enable them?

Do we know when this write-back will be GA? I have a cx who wants extensive write-back capabilities for all fields.

Enforcing LDAP Signing breaks ADDS Replication (repadmin.exe)

DoJU70 — Mon, 11 May 2026 23:22:18 GMT

Hi All,

After months of auditing Event ID 2889 and remediating application simple binds (clear text usernames/passwords over the wire), I was left with only SASL binds (that do not use signing).

I proceeded to set LDAP signing to 'negotiate' as per the GPOs below, and several dozen Microsoft KBs and from the community e.g..

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-signing-in-windows-server

Default Domain Controllers Policy

Domain controller: LDAP server signing requirements:

None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it

Default Domain Policy

Network security: LDAP client signing requirements:

Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller.

I still noted 1,000s of Event ID 2889s (0 – SASL Bind that does not use signing), primarily from DCs, and ::1 addresses

I proceeded with enforcing LDAP signing ("Require Signing" for both GPO settings above) and noted:

LDAP authentication was occurring via Kerberos (SASL/SPNEGO) with simple binds blocked as per tracing (and ldp.exe) confirmations:

Error <8>: ldap_simple_bind_s() failed: Strong Authentication Required

Error 0x2028 A more secure authentication method is required for this server.

However, I came to work the next day and performed a manual replication:

Repadmin /Syncall /APeD

LDAP error 8 (Strong Authentication Required) Win32 Err 5.

So I had to revert back to Negotiate.

How can customers enforce LDAP signing if common Microsoft ADDS executables like repadmin.exe still use Simple Binds?

Any ideas appreciated, thank you in advance.

Steve

Announcing Windows Server vNext Preview Build 29585

StaceyCL_RM — Mon, 11 May 2026 17:06:03 GMT

Hello Windows Server Insiders!

Build 29531 established a new Server preview baseline build. Please perform a clean install of Build 29531 (or later) using the installation media linked below.

While upgrades from earlier Windows Server previews (Build 26525 and older) are not technically blocked by setup.exe, a number of known issues have been identified related to upgrades necessitating the establishment of a new baseline build for our Server vNext Preview Program.
The new baseline build (29531) will not be Flighted due to upgrade issues. Flighting support resumed with preview build 29550 or later.

Please join us this week for Windows Server Summit 2026

Windows Server Summit 2026 is happening this week (May 11 - May 13). Please join us for this online event to learn about the latest updates in Windows Server 2025 and what's coming in vNext. For more information and to register, please visit Windows Server Summit - May 11-13, 2026 - Microsoft Event page.

What's New

Quick Machine Recovery available in Windows Server vNext Insider Previews.

This feature is currently enabled in the latest Server vNext Insider builds for customers to experience test mode. A Group Policy option to enable or disable the feature will be introduced in upcoming builds to provide additional administrative control.

To simulate the quick machine recovery experience, use the following commands from an elevated command prompt:

1. Enable test mode:

reagentc.exe /SetRecoveryTestmode

2. Configure Windows to boot to Windows Recovery Environment on the next boot:

reagentc.exe /BootToRe

3. Reboot your device. The system goes through autoremediation of a simulated crash safely and reboots back to Windows Server.

NVMe-oF over TCP (NVMe/TCP), allowing NVMe-oF to run over standard Ethernet networks without specialized hardware.
NVMe-oF over RDMA (NVMe/RDMA), enabling low-latency, high-throughput NVMe access over RDMA-capable networks (for example, RoCE or iWARP) using supported RDMA NICs.

For more information, please visit: Introducing the Windows NVMe-oF Initiator Preview in Windows Server Insiders Builds | Microsoft Community Hub

ReFS Boot is enabled for Windows Server vNext preview builds.

Known Limitations

ReFS Boot systems create a minimum 2GB WinRE partition.
When WinRE cannot be updated due to space constraints, the system may disable WinRE. Disabling WinRE does not remove the partition.
If the WinRE partition is deleted and the boot volume is extended over it, this operation is unrecoverable without a clean install.

For more information, please visit: Resilient File System (ReFS) overview | Microsoft Learn

Known Issues

Available Downloads

Downloads to certain countries may not be available. See Microsoft suspends new sales in Russia - Microsoft On the Issues.

Windows Server Long-Term Servicing Channel Preview in ISO format in 18 languages, and in VHDX format in English only. 
Windows Server Datacenter Azure Edition Preview in ISO and VHDX format, English only.
Microsoft Server Languages and Optional Features Preview

 Keys: Keys are valid for preview builds only 

Server Standard: MFY9F-XBN2F-TYFMP-CCV49-RMYVH
Datacenter: 2KNJJ-33Y9H-2GXGX-KMQWH-G6H67
Azure Edition does not accept a key.

Symbols:  Available on the public symbol server – see Using the Microsoft Symbol Server. 

Expiration: This Windows Server Preview will expire September 15, 2026.

How to Download

We value your feedback!

     [Server #####] Title of my feedback

See Give Feedback on Windows Server via Feedback Hub for specifics.

Diagnostic and Usage Information

Administrators can change the level of information collection through Settings. For details, see http://aka.ms/winserverdata. Also see the Microsoft Privacy Statement.

Terms of Use

Windows Server 2025 DC — LSASS handle leak identified via WinDbg — authz!AuthzpDeQueueThreadWorker

RugAmin1 — Sat, 09 May 2026 00:47:09 GMT

Hello All!! Im having a problem, LSASS crashes on a Windows Server 2025 Domain Controller, I identified what appears to be the root cause using WinDbg memory dump analysis. Sharing this hoping someone else has seen it or Microsoft can confirm.

The Problem

LSASS handle count grows continuously over time and eventually crashes with a 0xC0000005 access violation (Event ID 1015). After a reboot the cycle repeats. The growth rate correlates with authentication load and faster during peak hours, slower overnight.

WinDbg Dump Analysis

Captured LSASS dump at high handle count and ran !handle 0 f:

Token handles: overwhelmingly dominant Everything else: negligible

Every leaked token shows:

GrantedAccess: 0x8 (TOKEN_QUERY only) PointerCount: overflowed to negative integer

Running !findstack authz 2 shows multiple worker threads all sitting in:

authz!AuthzpDeQueueThreadWorker

What Was Tested And Eliminated

Stopped or disabled each individually and measured handle growth rate — zero meaningful difference from any:

- Antivirus (all components) - Backup software - Application services - VSS snapshots - Hardware management agents etc..

Environment

OS: Windows Server 2025, fully patched with the latest updates including April LSASS update. Role: Domain Controller DNS PAM: Not active.

Conclusion

Token handles are opened with TOKEN_QUERY access inside authz!AuthzpDeQueueThreadWorker and never released. Reference counter overflows to negative integer. Growth rate scales directly with authentication load.

Current workaround: reboots during off hours.

Has anyone else seen this pattern on Windows Server 2025? Is there a known fix or Microsoft acknowledgment for this specific authz token handle leak?

The End is Nigh for DES and an Update for hunting down RC4

Chris_Cartwright — Fri, 08 May 2026 15:45:53 GMT

Note: 3/5/2026 The Event Forwarding methods mentioned here is not yet compatible with Server 2025. This post will be updated when it is no longer the case. This blog was originally posted last year, but got "lost." It has been updated a little to reflect recent events and will likely have some overlap.

Hello again all, Chris Cartwright here from the Directory Services support team. We released the plan to remove DES as an encryption type for Kerberos completely. We also released identification scripts to assist with this at microsoft/Kerberos-Crypto: Tools and information regarding Windows Kerberos cryptography. We have also released Beyond RC4 for Windows authentication | Microsoft Windows Server Blog and then the first patching efforts in support of RC4 deprecation in How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833 - Microsoft Support.

I wanted to provide a brief update for XML filtering that was illustrated in the previous blog post, So, you think you’re ready for enforcing AES for Kerberos?. I will reference this blog post quite a bit. While I don’t expect readers of this blog to be using DES, I still wanted to make sure that the information was out there. Additionally, the Events 4768 and 4769 have been updated with additional information when issuing tickets. The XML here is also modified to support that.

XML Filters

Here are the XML filters you can leverage to find specific events.

Hunting down DES tickets issued

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
*[EventData[Data[@Name='TicketEncryptionType']='0x1']]
</Select>
  </Query>
  <Query Id="1" Path="Security">
    <Select Path="Security">
*[EventData[Data[@Name='TicketEncryptionType']='0x2']]
</Select>
  </Query>
  <Query Id="2" Path="Security">
    <Select Path="Security">
*[EventData[Data[@Name='TicketEncryptionType']='0x3']]
</Select>
  </Query>
</QueryList>

Hunting down only legacy keys available:

There will be more information on this in a later blog post.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
*[EventData[Data[@Name='AccountAvailableKeys']='RC4, DES']]
</Select>
  </Query>
  <Query Id="1" Path="Security">
    <Select Path="Security">
*[EventData[Data[@Name='ServiceAvailableKeys']='RC4, DES']]
</Select>
  </Query>
  <Query Id="3" Path="Security">
    <Select Path="Security">
*[EventData[Data[@Name='DCAvailableKeys']='RC4, DES']]
</Select>
  </Query>
  <Query Id="4" Path="Security">
    <Select Path="Security">
*[EventData[Data[@Name='AccountAvailableKeys']='RC4']]
</Select>
  </Query>
  <Query Id="5" Path="Security">
    <Select Path="Security">
*[EventData[Data[@Name='ServiceAvailableKeys']='RC4']]
</Select>
  </Query>
  <Query Id="6" Path="Security">
    <Select Path="Security">
*[EventData[Data[@Name='DCAvailableKeys']='RC4']]
</Select>
  </Query>
</QueryList>

Hunting down RC4 Tickets issued:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[EventData[
        Data[@Name='TicketEncryptionType']='0x17' or
        Data[@Name='SessionKeyEncryptionType']='0x17'
      ]]
    </Select>
  </Query>
</QueryList>

Custom Event Forwarder targets

If you choose to, you can leverage this XML file (or create your own) for Event forwarding described in the previous blog and get this for targets:

Manifest text

<?xml version="1.0"?>
<instrumentationManifest xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd" xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:trace="http://schemas.microsoft.com/win/2004/08/events/trace">
              <instrumentation>
                           <events>
                                         <provider name="WEC-Legacy Hunter" guid="{8D8635E8-3573-49B6-A5CE-A91601E1B5D9}" symbol="EvtFwdLegHunt" resourceFileName="C:\Windows\system32\Legacy-Hunter-WEC.dll" messageFileName="C:\Windows\system32\Legacy-Hunter-WEC.dll">
                                                       <channels>
                                                                     <channel name="RC4 Keys Only" chid="RC4 Keys Only" symbol="RC4KeysOnly" type="Operational" enabled="true" message="$(string.WEC-Legacy-Hunter.channel.RC4KeysOnly.message)"></channel>
                                                                     <channel name="RC4 Used" chid="RC4 Used" symbol="RC4Used" type="Operational" enabled="true" message="$(string.WEC-Legacy-Hunter.channel.RC4Used.message)"></channel>
                                                                     <channel name="DES Used" chid="DES Used" symbol="DESUsed" type="Operational" enabled="true" message="$(string.WEC-Legacy-Hunter.channel.DESUsed.message)"></channel>
                                                       </channels>
                                         </provider>
                           </events>
              </instrumentation>
              <localization>
                           <resources culture="en-US">
                                         <stringTable>
                                                       <string id="WEC-Legacy-Hunter.channel.RC4Used.message" value="RC4 Ticket issued"></string>
                                                       <string id="WEC-Legacy-Hunter.channel.RC4KeysOnly.message" value="RC4 Keys Only"></string>
                                                       <string id="WEC-Legacy-Hunter.channel.DESUsed.message" value="DES Ticket issued"></string>
                                         </stringTable>
                           </resources>
              </localization>
</instrumentationManifest>

Visual Studio

Previous steps for configuring Visual Studio are in the previous blog post referred to earlier. In order to get the WEC-Legacy-Hunter event logs as shown above, create a New Windows Desktop Wizard Project

Click Create, and choose Dynamic Link Library as Application type. Make sure Empty Project is checked.

Right click on the right side and choose Add Existing Item

Select the .rc and .h files.

You should see the files showing in the project as shown below:

On the top Menu bar, select Project->Properties, and set /NOENTRY under Linker\Advanced.

Then, in the top Menu bar, click Build->Build Solution. In your project folder, there will be a dll file under .\x64\Debug.

You can leverage the steps from the previous blog to install the manifest and point each subscription to the intended destination event log like so:

See previous blog for more details on configuring Event Forwarding.

Once again, good hunting!

AD Recycle Bin – “The specified value already exists” but Recycle Bin is non‑functional

LBXComputers — Fri, 08 May 2026 08:02:08 GMT

I am unable to enable the Active Directory Recycle Bin in an on‑premises Active Directory forest.

Environment

On‑prem AD DS
Forest Functional Level: Windows2016Forest
Mixed DC versions (2016 / 2022)

When attempting to enable the Recycle Bin using the following command:

Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "domain.local"

the operation fails with the error:

“The specified value already exists”

However, the AD Recycle Bin is clearly not operational.

Observed behaviour

Deleted objects are hard‑deleted immediately
Nothing ever appears under CN=Deleted Objects
LDAP queries using (isDeleted=TRUE) return no results
msDS-deletedObjectLifetime and tombstoneLifetime are unset (defaults)
CN=Optional Features does not exist in the Configuration naming context

Running:

Get-ADOptionalFeature "Recycle Bin Feature"

shows EnabledScopes referencing an NTDS Settings object, rather than the forest naming context (e.g. DC=domain,DC=local).

This strongly suggests that the Recycle Bin optional feature has never been successfully enabled at forest scope, but the environment is now in a state where the enable command is blocked because AD believes it already exists.

At present:

Recycle Bin is non‑functional
Deleted objects cannot be recovered
Re‑enabling the feature is not possible via PowerShell or ADAC

Has anyone seen this state before, or is aware of a supported method to:

correct the optional feature metadata, or
complete Recycle Bin enablement properly at forest scope?

Any guidance would be appreciated, especially if this requires Microsoft AD DS intervention rather than a configuration change.

(Microsoft support routing has been problematic, so I’m hoping someone here may have encountered this scenario before.)

CXL Memory Expansion on WinServer 2025

isheaffer — Fri, 01 May 2026 15:45:04 GMT

I'm looking to find out if on window server 2025 is CXL Type 3 in memory expansion mode is validated "GA" and if so which cxl devices. I'm having issues finding this information. Anyone know and able to share?

Announcing Native PowerShell Tooling for ReFS Snapshots

Christina_Curlette — Fri, 01 May 2026 00:30:50 GMT

We’re excited to share a new open-source PowerShell module on GitHub that provides PowerShell-native management of ReFS snapshots. It wraps the existing refsutil streamsnapshot in cmdlets designed for scripting and automation, with pipeline support and consistent error handling.

If you’re already using ReFS for resilient storage on Windows Server or client, this tooling makes it significantly easier to integrate ReFS snapshots into your existing PowerShell-based management and automation workflows.

Why PowerShell-native ReFS snapshot management?

ReFS has long supported stream-level snapshots through the refsutil streamsnapshot command-line utility, enabling point-in-time capture of individual files or streams rather than an entire volume or filesystem. This makes stream snapshots well suited for targeted comparison or recovery scenarios where full volume snapshots would be unnecessary or too heavyweight. While powerful, refsutil was designed as a low-level utility—not easy to compose into scripts, pipelines, or scheduled automation.

The ReFSSnapshots PowerShell module addresses that gap by exposing ReFS snapshot functionality through idiomatic PowerShell cmdlets, making snapshots easier to:

Automate as part of routine server operations

Integrate into existing PowerShell scripts and modules

Apply consistently across many files or volumes using the pipeline

Manage safely with parameter validation and structured error handling

What the ReFSSnapshots module provides

The ReFSSnapshots module supports the following capabilities:

Create snapshots of files or streams at a specific point in time

List snapshots, including wildcard-based queries

Delete snapshots with confirmation safeguards

Compare snapshots against the current file state

Restore files from a previous snapshot state

Export snapshots to standalone files on any volume

Automate snapshot creation via Task Scheduler

Apply retention policies to clean up older snapshots automatically

All cmdlets are designed with pipeline support, so they can be composed alongside existing storage, monitoring, or validation scripts.

Some common scenarios that this module addresses include:

Operational safety points taken before patching, upgrades, or configuration changes

Automated comparison workflows, where changes between known states need to be evaluated programmatically

Scripted maintenance jobs that incorporate snapshot creation and cleanup as part of routine operations

Advanced Windows client or workstation scenarios using ReFS for large datasets, development artifacts, or experimental workflows, where lightweight, file‑level snapshots are useful without introducing a full backup solution

Getting started

Setup instructions, documentation, and examples are available in the GitHub repository.

System requirements

Windows Server 2019+ or Windows 10+

An ReFS-formatted volume (version 3.7 or later)

PowerShell 5.1 or newer (including PowerShell Core)

Examples

The following snippets are drawn from the module's GitHub examples and mapped to the scenarios called out above. They illustrate how ReFSSnapshots can be composed into routine operations, comparison workflows, scheduled maintenance, and lightweight workstation use.

Operational safety point before a configuration change — Take a named snapshot of a critical file immediately before applying a server configuration update, so you have a known-good point to compare against or restore from.

New-RefsSnapshot -Path D:\Data\database.dat -Name "PreChange_$(Get-Date -Format 'yyyyMMdd_HHmm')"

Automated comparison workflow — List recent snapshots for a file and compare the most recent one against the current state to evaluate what has changed since the last known baseline.

Get-RefsSnapshot -Path D:\Data\database.dat -Name "PreChange_*" | 
    Sort-Object SnapshotName -Descending | 
    Select-Object -First 1 | 
    Compare-RefsSnapshot

Scripted maintenance job with retention — Register a daily scheduled task that automatically creates snapshots of a database file and keeps only the most recent 14, so older snapshots are cleaned up as part of routine operations.

Register-RefsSnapshotSchedule -Path D:\Data\database.dat -Interval Daily -At "2:00 AM" -RetentionCount 14

Lightweight workstation snapshots for development artifacts — Use the pipeline to create a single named snapshot across many files in a working directory—useful on a Windows client when you want a quick, file-level safety net before an experimental change, without standing up a full backup solution.

Get-ChildItem E:\Repos\MyProject\artifacts\*.bin | 
    New-RefsSnapshot -Name "BeforeRefactor_$(Get-Date -Format 'yyyyMMdd')"

Try it out!

ReFSSnapshots provides a PowerShell-native surface over existing ReFS stream snapshot capabilities, enabling composable, scriptable file-level snapshot management on supported Windows Server and client systems. Give it a try and share your feedback on GitHub.

‑‑ Christina Curlette

Windows Server 2025 update with error 0x80073712

madurantia — Thu, 30 Apr 2026 19:46:44 GMT

Hello

Can I have some help?

Windows Server 2025 Std, V 24H2, OS build: 26100.32522

The 2026-04 Security Update (KB5082063) (26100.32690) fails with the following error:

Installation failed: Windows failed to install the following update with error 0x80073712: 2026-04 Security Update (KB5082063) (26100.32690).

Thanks in advance

MadUrantia

Troubleshooting TPM Certificate: How to Fix the "Missing Stored Keyset" Error

mdhabibnawaz — Thu, 30 Apr 2026 15:18:25 GMT

Understanding the "Missing Stored Keyset" Error

The "missing stored keyset" error typically appears when an application or service cannot find a necessary key within the system's Key Storage Provider (KSP). This can result from various underlying causes, including corrupted registry keys, improper configurations, or expired certificates. Below are some potential causes of this error:

Corrupted Registry Entries: Sometimes, entries related to certificate keys might become corrupt, causing access issues.

Permissions Issues: Inadequate permissions can prevent the necessary access to retrieve or manage keys.

Software Bugs or Misconfiguration: System or application-specific bugs or incorrect configurations might cause improper handling of the TPM-stored certificates.

Step-by-Step Guide to Fix "Missing Stored Keyset"

Here's a troubleshooting process to resolve this error. Ensure you have administrative privileges on the system.

Step 1: Windows Update and TPM Firmware

Ensure Latest Windows Updates:

Access Settings by pressing Windows Key + I and click Update & Security.

Ensure the system is up to date as newer patches often resolve TPM issues.

Firmware Update:

Check the manufacturer’s site for the latest TPM firmware and BIOS updates specific to your model, especially for addressing known issues and bugs.

Step 2: Verify TPM Initialization and Ownership

Before diving deeper, ensure that the TPM is initialized, and the system has clear ownership of it:

Open the TPM Management Console by typing tpm.msc in the Run dialog.

Verify that the status states: "The TPM is ready for use."

Step 3: Verify Certificate Keysets or Store

To verify the Platform cryptographic provider certificate using cmd.exe, use the following steps:

Open cmd.exe as Administrator.

Run the command: CertUtil -CSP "Microsoft Platform Crypto Provider" -Key

To verify the local machine certificate using cmd, use the following steps:

Open Cmd as Administrator.

Execute the command: CertUtil -v -VerifyStore MY

Step 4: Repair Certificate Keysets

If registry or keyset corruption is suspected, follow these steps:

Open Cmd as Administrator.

Execute the command: CertUtil -RepairStore MY "SerialNumber"

Step 5: Check and Reset Permissions

Correct any permissions related problems:

Open the Certificates MMC Snap-in for the local computer (certlm.msc).

Locate the specific certificate.

Right-click and select All Tasks > Manage Private Keys.

Ensure that necessary accounts (such as SYSTEM, Service or application account, and the user account) have Full Control.

Step 6: Re-enroll Certificates if Necessary

Certificate reports “Missing stored Keyset”

CertUtil RepairStore command fails.

If reports for "Missing stored keyset" persist and repair fails, certificates may need to be restored or re-enrolled:

Request and issue new certificates using your organizational procedures.

Conclusion

Encountering a "missing stored keyset" error with a TPM can be frustrating but can usually be resolved with a methodical approach. By ensuring that the TPM is functional, managing security permissions correctly, checking certificate validity, and keeping systems up to date, this issue can be mitigated. If these steps do not resolve the problem, reaching out to Microsoft Support or consulting the device manufacturer's guidelines may provide additional assistance. For more detailed documentation on troubleshooting TPM errors, please visit Microsoft’s official TPM Technology Documentation. Trusted Platform Module Technology Overview | Microsoft Learn

Remember, always ensure a data backup strategy when dealing with cryptographic components to avoid unexpected data loss. These steps can help guide you through fixing the “missing stored keyset” error for TPM certificates effectively. As always, stay informed and backed up. Proper understanding and manipulation of TPM can bolster the security and trustworthiness of your systems. Keep striving for a more secure enterprise environment, and feel free to comment below if you have additional questions or suggestions from your experiences. Until next time, happy troubleshooting!

Opt-In Windows Server 2025 Feature Update from the WS 2022 and WS 2019 Settings Dialog

Rob-Hindman — Wed, 29 Apr 2026 18:24:14 GMT

This capability allows customers who want to in-place upgrade their servers to Windows Server 2025 to upgrade using the Windows Update service, and without the need for Windows Server 2025 physical media. On the Windows Server team, we aim for 100% application compatibility, and we are confident that most applications and services will continue to work well after the in-place upgrade to Windows Server 2025.

We recognize that in-place upgrade will not be used by all organizations for all of their servers – some organizations will prefer to perform a clean install, I.E., reformatting the system drive, installing Windows Server 2025, and then re-installing applications and services. Other organizations embrace in-place upgrade because it’s quick and they can avoid re-installing applications and services. Some organizations will use a combination of clean install and in-place upgrade approaches, depending on the role of each server.

Planning For the Upgrade

Plan on a gradual roll-out of Windows Server 2025 across your server estate, starting with the least critical servers. We encourage customers to verify upgrade to Windows Server 2025 in a test environment to gain experience with the upgrade process, before upgrading production servers. The time needed to upgrade each server will depend on the performance of the server, the number of applications running on the server, and the number of users on the server. Backup / snapshot and upgrading to Windows Server 2025 usually takes two hours per server.

Check with your system administrator – server upgrades should be carefully coordinated to avoid downtime and workload outages – a maintenance window may need to be scheduled.
Check that Group Policy configuration is correct – in some cases Windows Updates can be installed by non-administrative users. To learn more about blocking users from scanning and applying Windows Updates, see Step 4 - Configure Group Policy Settings for Automatic Updates | Microsoft Learn. Note that some organizations will create a special upgrade OU for their server upgrade process. Customized GPOs can also be used to schedule and manage server updates, to implement a rolling upgrade of servers and managing maintenance windows.
Check if you need to purchase a product key for Windows Server 2025. Windows Server 2019 and Windows Server 2022 volume license customers with active Software Assurance do not need to purchase a product key for Windows Server 2025. However, customers who are using the Retail or OEM licensed versions of Windows Server 2019 and Windows Server 2022 will have to purchase a Windows Server 2025 product key.
Check and validate successful activation with your organization’s KMS for Windows Server activation, to validate that it has been loaded with a valid Windows Server 2025 key. After upgrading to Windows Server 2025, each server will need to be activated using a valid activation method: KMS, Active Directory‑based Activation, or MAK using slgmr or VAMT tools.
Check that you are not using in-place upgrade on a domain controller. We recommend a clean install of Windows Server 2025 for domain controllers, first joining at the Windows Server 2016 domain and forest functional levels, and then upgrading the domain and forest functional levels after all the domain controllers are running Windows Server 2025. See this guidance for the steps to upgrade domain controllers: Upgrade domain controllers to a newer version of Windows Server | Microsoft Learn.
Check that you are not using in-place upgrade on a failover cluster node in isolation – we recommend following the failover clustering upgrade guidance for upgrading failover cluster nodes: Upgrade the OS of a Windows Server failover cluster by performing a cluster OS rolling upgrade | Microsoft Learn.
Check that each server has at least 30-40 GB of free space on the System Disk – low amounts of free space can cause the upgrade process to fail, and is the leading cause of In-place Upgrade failures.
Check pricing, best practices, license terms, and privacy policy: Windows Server pricing guide: Windows Server 2025 Licensing & Pricing | Microsoft. Server Upgrade planning guidance: Plan Your Windows Server Upgrade Path | Microsoft Learn. Windows Server licensing terms are here: Useterms. Microsoft’s privacy policy: Microsoft Privacy Statement – Microsoft privacy
Check online documentation for in-place upgrade for further details: Upgrade Windows Server in Place | Microsoft Learn.
Opt-In Windows Server 2025 Feature Update from the Windows Server 2022 and Windows Server 2019 Settings Dialog should work for any system, physical or virtual – if it can connect to Windows Update, and if the system meets the prerequisites.

Steps for Installing the Windows Server 2025 Feature Update on Windows Server 2019 or Windows Server 2022 Desktop Experience

Install the 2026-03 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5078766) or later for Windows Server 2022.

Install 2026-03 Cumulative Update for Microsoft server operating system for x64-based Systems (KB5078752) or later for Windows Server 2019.

Note that it may be necessary to reboot the server after installing Quality and Security Updates.

2. Backup / snapshot the server, and if time permits, perform a restore test on a separate server.

3. Stop applications and services running on the server.

4. Add the opt-in registry key to the server using PowerShell or using the Registry Editor:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate"

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate" -Name "AllowWindowsServerFeatureUpdate" -PropertyType DWord -Value 1

Note that adding these values can also be automated using Group Policy Objects (GPO), see: Configure Windows Update client policies via Group Policy | Microsoft Learn.

5. The Windows Server 2025 Feature Update will be offered in the Settings Dialog, in the Windows Update section, select Download and Install.

6. Read the Important Information pop-up dialog, press Accept and install:

7. The Windows Server 2025 Feature Update will download and install (in-place upgrade on the server) and will prompt for Reboot.

See Post-Feature Update (Post In-place Upgrade) section below

Steps for Installing the Windows Server 2025 Feature Update on Windows Server 2022 Server Core using SCONFIG

Organizations using Windows Server 2022 Server Core can also get the Windows Server 2025 Feature Update using SCONFIG.
Install the 2026-03 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5078766) or later for Windows Server 2022.

SCONFIG Option 6, 1 will scan for applicable Quality Updates and Security Updates.

Note that it may be necessary to reboot the server after installing Quality and Security Updates.

3. Backup / snapshot the server, and if time permits, perform a restore test on a separate server.

4. Stop applications and services running on the server.

5. Add the opt-in registry key to the server using PowerShell or using the Registry Editor:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate"

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate" -Name "AllowWindowsServerFeatureUpdate" -PropertyType DWord -Value 1

Note that adding these values can also be automated using Group Policy Objects (GPO), see: Configure Windows Update client policies via Group Policy | Microsoft Learn.

6. The Windows Server 2025 Feature Update will be offered in SCONFIG, select option 6 (Install updates):

7. Select option 3 (Feature updates):

8. The Windows Server 2025 feature update will be offered if prerequisite requirements are met. Select Y to download and install the Windows Server 2025 Feature Update:

9. The Windows Server 2025 Feature Update will download and install (in-place upgrade on the server) and will Reboot.

Post-Feature Update (Post In-place Upgrade)

After installation and reboot, check that the applications and services are running correctly. If there are any issues, restore the server from backup / snapshot.
Activate the server using one of the following activation methods: KMS, Active Directory‑based Activation, or MAK using slgmr or VAMT tools.
Check Telemetry settings and any Loopback Adapter settings.
After the server is confirmed to be working, the Windows.old directory can be deleted to free up space on the system drive.
Check Windows Update for additional updates.
Evaluate if Secured-core settings and UEFI Secure boot certificates should be updated. See What is Secured-core server for Windows Server | Microsoft Learn and Secure boot | Microsoft Learn.

Troubleshooting

If there are any issues during the upgrade to Windows Server 2025, use these steps to identify the issue:

Examine the setup log file: C:\Windows\Panther\setupact.log and error log file: C:\Windows\Panther\setuperr.log
The SetupDiag tool can be downloaded for analysis of these files: SetupDiag | Microsoft Learn
Contact customer support who may request that you compress and send them the contents of the C:\Windows\Panther directory.

Send Us Your Feedback

We value your feedback and would love to hear your opinions about this capability (WS 2025 Feature Update from the WS 2019 and WS 2022 Settings Dialog with Opt-In) and any other thoughts you have on Windows Server upgrades. Did it work well for you? What improvements would you like to see in future releases?? Please write to us at this email address: WindowsServerUpdateFeedback@microsoft.com

-Windows Server Update Team.

Windows Server Datacenter: Azure Edition preview build 29574 now available in Azure

StaceyCL_RM — Wed, 29 Apr 2026 17:16:00 GMT

Hello Windows Server Insiders!

We welcome you to try Windows Server vNext Datacenter: Azure Edition preview build 29574 in both Desktop experience and Core version on the Microsoft Server Operating Systems Preview offer in Azure. Azure Edition is optimized for operation in the Azure environment. For additional information, see Preview: Windows Server VNext Datacenter (Azure Edition) for Azure Automanage on Microsoft Docs. For more information about this build, see Announcing Windows Server vNext Preview Build 29574 | Microsoft Community Hub.

Zero-downtime migration, hybrid file services: Azure File Sync

Heather_Poulsen — Fri, 15 May 2026 22:20:54 GMT

Windows Server file services are being reinvented. With the latest Azure File Sync updates aligned to Windows Server 2025, you can modernize your file estate in place. Keep the familiar performance and protocol compatibility of Windows Server while gaining the scale, resilience, and centralized management of Azure Files. The result: unparalleled hybrid value, zero-downtime migration, and a future-ready foundation for Azure Virtual Desktop, AI, and sovereign cloud scenarios. See why Azure File Sync is the fastest path to modernizing Windows file servers and unpack the new capabilities in the latest version!

This session is part of Windows Server Summit 2026.

So, You’ve disabled Windows Hello for Business, but the User can still Sign-in using a PIN

BrentCrummey — Mon, 27 Apr 2026 22:14:57 GMT

Hi, it’s Brent from the Windows Directory Services team. I recently worked a case concerning a user who had the Windows Hello for Business (“WHfB”) policy disabled, but the user could still sign-in to the computer using their PIN. As you may have guessed, the Windows admin team of the Active Directory domain for this user wanted to know how this could be and how they could remove this sign-in option from the user.

Let’s Talk About the Problem

The user retaining the ability to sign-in using their PIN wasn’t the only issue the admin team encountered. After requesting the user to remove the WHfB PIN sign-in, they discovered the option to remove the Windows Hello PIN sign-in was greyed out:

Now, it seemed there wasn’t a way to remove the user’s ability to sign-in with their WHfB PIN.

How Did We Get Here?

A Microsoft Intune policy or Windows Active Directory Group Policy Object (“GPO”) was originally enabled for this user to provision Windows Hello for Business sign-in. Sometime after the user was provisioned and using their PIN to sign-in, the Windows admin team determined this user should no longer use WHfB credentials. To remove the user’s ability to do so, they configured the Intune and/or GPO policy to disable Windows Hello for Business. After refreshing the policy to the user’s computer successfully, they confirmed the PassportforWork registry key was set to disabled as follows:

HKLM\SOFTWARE\Policies\Microsoft\PassportForWork

Enabled REG_DWORD 0x0

The actions performed above will not remove the ability of an already provisioned user from using Windows Hello for Business PIN to sign-in to the Windows computer. To better understand the issue, the following details are provided to clarify the use of policies such as Intune and GPOs in relation to the Windows Hello for Business credential provider.

When either an Intune policy or Windows GPO is configured for a user to enable WHfB, the policy is only enabling the user to enroll for provisioning to use Windows Hello for Business. The provisioning process and authentication process for Windows Hello for Business are two separate components within the Windows Hello for Business feature.

Since the policy only enables the ability for a user to activate the provisioning process to enroll for Windows Hello for Business, the policy becomes irrelevant after the user successfully provisions. Once a user is provisioned, they will be able to continue using the Windows Hello for Business PIN sign-in even when the policy has been set to disabled.

This behavior is expected and by design, which is documented in the following published article: Manage Windows Hello in your organization - Windows Security | Microsoft Learn

However, by setting the policy to disabled, the user no longer has the ability to activate the provisioning process. The remove button under the Windows Hello PIN sign-in option is used to activate provisioning, which would allow the user to un-enroll for Windows Hello for Business. Therefore, the inability to select the remove button is also expected and by design in this configuration.

How will the PIN Sign-in be Removed if Provisioning is Disabled?

To disable Windows Hello for Business in this situation, the Windows Hello container will need to be deleted for the user. To do so, the user will perform the following steps under their user context on each Windows computer they were successfully provisioned prior to the policy being disabled:

Have the user sign-in to the Windows computer using their username and password.
Open a command prompt under the user’s context (not admin) and run the following command:

certutil.exe -deleteHelloContainer

Close the command prompt and restart the computer.

With the policy set to disabled, the user will no longer be able to activate the provisioning process on this or any other Windows computer going forward. We wouldn’t want the user to enroll for Windows Hello for Business again after we removed it, right?

I hope you found this information helpful in your understanding of Windows Hello for Business administration. Until next time.

Brent Crummey

Related Registry Keys

Computer registry - HKLM\SOFTWARE\Policies\Microsoft\PassportForWork

User registry - HKCU\SOFTWARE\Policies\Microsoft\PassportForWork

References

Windows Hello for Business Frequently Asked Questions (FAQ) - Windows Security | Microsoft Learn

certutil | Microsoft Learn