Windows Server for IT Pro topics

Windows Server 2025 - Cannot Pin Tools and Apps on Start Menu

Kayyum M — Sun, 19 Apr 2026 10:41:32 GMT

I am evaluating Windows Server 2025, Version 24H2 (OS Build 26100.32690)

I am unable to pin Admin Tools or any other app on Start Menu.

Taskbar pinning works well but not the Start Menu.

Anyone experiencing the same ?

sign RDP file with timestamp

mkrummenacher — Fri, 17 Apr 2026 10:02:37 GMT

Hi,

after installing the April 2026 update, our customers experience warning messages when using RDP files to connect to their servers hosted by us.

We need to sign the RDP files. But we need to include a timestamp, so the signature stays valid after certificate expiration.

rdpsign.exe does not support timestamping. Set-AuthenticodeSignature is unable to access the private key of our code signing certificate which is stored on a HSM. signtool.exe does not support RDP files.

What is the recommended procedure in this case?

Thank you!

Domain users not able to logon with their password event though it has not been changed....

StoreThomas — Thu, 16 Apr 2026 10:04:06 GMT

Hi, we have this weird problem where some of the users suddenly can't login to their computer with the password they have used for almost 20 years (yes sorry, bad practise).

When the user reports it I check that I can logon to the computer with my own account (not 20 year old password) which works fine. I check the event log for problems both on the client and the DC and all I see is see which I can relate to the problem is event id 4625 with an error code which means bad password.

I check the AD account and see that pwdLastSet has a date in 2006 (not quite 20 years, but close) and I check that the account is not logged out or expired. Also make sure that the password never expires is enabled, so in my book these are all the checks needed and problem not solved.

I then change the password to the same password that the user has had for almost 20 years and problem solved, but problem source not found.

This has happend to 3-4 users within the last week or two, even a service user with domain admin permissions, only thing I pay note to that they have in common is the pwdLastSet in 2006, but I really can't seem to get my head around this being the issue. Also only other thing I can think of that has changed is that the old DC has been removed a few months ago, and a new 2025 DC has been introduced. promote/demote went without issues and this problem didn't surface before now several weeks after the DC change.

So if anyone has experienced something similar or perhaps can point me in a direction for further troubleshooting please let me know.

Thansk

Thomas

Phase 2 of Kerberos RC4 hardening begins with the April 2026 Windows security update

ChrisWright — Wed, 15 Apr 2026 18:42:48 GMT

Windows updates released in April 2026 and later begin the second deployment phase of protections designed to address a Kerberos information disclosure vulnerability (CVE‑2026‑20833). This second phase continues the shift away from legacy encryption types such as RC4 by moving toward stronger default ticket behavior. After installing the April 2026 update, domain controllers default to supporting Advanced Encryption Standard (AES‑SHA1) encrypted tickets for accounts that do not have an explicit Kerberos encryption type configuration.

If your organization relies on service accounts or applications that depend on RC4-based Kerberos service tickets, now is the time to address those dependencies to avoid authentication issues before the Enforcement phase begins in July 2026. Microsoft recommends continuing to monitor the System event log for Kerberos-related audit events and identify and address misconfigurations or remaining dependencies, then enabling enforcement when warning, blocking, or policy events are no longer logged.

See How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833 and CVE‑2026‑20833 to learn more about the vulnerability, timelines, recommended preparation steps, and configuration options to ensure compliance before Enforcement mode begins in July 2026.

2026-04 Update Breaks Domain Logins

EMR88 — Wed, 15 Apr 2026 04:37:18 GMT

I have an Active Directory domain that is old (from 2000!) that has been upgraded and moved to newer versions of Windows Server and Active Directory. I have domain controller VMs running Windows Server 2025 Standard Edition. Unfortunately they installed the latest 2026-04 patches which my have changed the Kerberos encryption from RC4 to AES. This has resulted in my not being able to log into any Active Directory domain accounts and the domain controllers themselves. I can only log into workstations using the local account.

Suffice to say this a nightmare. Any ideas how to fix it since I can't access the usual tools like Active Directory Users and Computers, Hyper-V won't connect to the VMs, etc. Thanks.

Procedures to raise the functional level of AD 2008 r2 to 2019

Marcelo327 — Tue, 14 Apr 2026 13:06:02 GMT

Hello everyone,

Our AD has the Windows Server 2008 functional level and the servers with Windows Server 2016 OS. I intend to raise the functional level to 2019 or 2025. I would like your help with tips and documentation to decide whether 2019 or 2025 would be best, what are the risks and procedures for successful migration. I have an isolated environment to carry out rehearsals and tests before actually going into production.

Virtual printer in windows server 2019 standard is not shown after configuration

AnaRuiz1 — Tue, 14 Apr 2026 08:55:18 GMT

Hello,

I am, trying to configure a virtual printer in a Windows server 2019 standard edition that is deployed in OCI cloud. This instance has windows server license included in the pricing. The problem comes when after ending the process of configuration this virtual printer is not displayed in "Devices and printers" any idea why is this happening?

Regards,

Ana

Error al agregar Windows Server 2025 a dominio existente, nivel funcional 2016

HugoPerez — Sat, 11 Apr 2026 19:23:48 GMT

Buenas a todos,

Me dirijo a esta comunidad en busca de orientación para resolver un problema que se me está presentando al intentar integrar un nuevo servidor con Windows Server 2025 Standard a mi infraestructura de Active Directory existente.

Descripción del entorno:

Dominio de Active Directory activo con Windows Server 2019 Standard.
Nivel funcional de dominio y bosque configurado en Windows Server 2016.
Controladores de dominio actuales: server-dc01.impresoratec y server-ad2019.impresoratec.
El nombre de dominio interno utilizado es impresoratec (nombre NetBIOS/dominio de etiqueta única, sin sufijo DNS completo tipo .local o .com).

Problema:

Al intentar agregar el nuevo servidor con Windows Server 2025 al dominio, el proceso falla y se presenta el siguiente mensaje de error:

"Es posible que el nombre de dominio "impresoratec" sea un nombre de dominio NetBIOS. Si este es el caso, compruebe que el nombre de dominio está registrado correctamente con WINS. [...] La consulta se refería al registro SRV para _ldap._tcp.dc._msdcs.impresoratec. La consulta identificó los siguientes controladores de dominio: server-dc01.impresoratec y server-ad2019.impresoratec. Sin embargo, no se pudo contactar con ningún controlador de dominio."

El mensaje sugiere que los registros de host (A) o (AAAA) pueden contener direcciones IP incorrectas o que los controladores de dominio no son accesibles desde el nuevo servidor.

Lo que he verificado hasta ahora:

Los controladores de dominio existentes están en línea y operativos.
La replicación entre los DCs actuales funciona con normalidad.
El nuevo servidor con 2025 tiene conectividad de red general, pero no logra localizar los DCs al momento de unirse al dominio.

Mi consulta:

¿Alguien ha experimentado este comportamiento al incorporar un servidor con Windows Server 2025 a un dominio con nivel funcional 2016 y un nombre de dominio de etiqueta única (single-label domain)? ¿Existe algún requisito previo adicional —como la actualización del esquema de AD, ajustes en DNS o en WINS— que deba cumplirse antes de agregar el nuevo DC?

Agradezco de antemano cualquier orientación o experiencia que puedan compartir.

Side-by-side Upgrade: Server 2012 R2 Foundation to Server 2025 Essentials

V3N7UR4 — Thu, 09 Apr 2026 11:29:07 GMT

Hello everyone!

Is a side-by-side upgrade from Server 2012 R2 Foundation (DC) to Server 2025 Essentials (DC) allowed?

Is there a guide to follow?

Thank you in advance.

RDP logs in locally

justletmelogin50 — Wed, 01 Apr 2026 06:19:34 GMT

Hi all,

Have a Windows 2022 21H2 server, VM on vSphere.

When attempting to RDP to it, I briefly see the desktop before getitng the error - you have been disconnected because another connection was made to the remote computer.

I note that when viewing the server in vCentre, the 'local' desktop logs in when an RDP connection is attempted. This must then be kicking the RDP session. At the moment the only way to manage it is via vCentre which isn't ideal.

Is there a setting somewhere to prevent this from happening?

cheers

ntoskrnl.exe and build version not getting updated after applying KB5078740 on server 2025

aahmed28 — Tue, 31 Mar 2026 17:28:36 GMT

I have installed the latest March patch kb5078740 on server 2025 which was upgraded from server 2022. the patch is showing installed but the ntoskrnl.exe and build version is still showing 10.0.26100.4652. Qualys is detecting it as patch not installed based on file version which should be 10.0.21600.32522. Please let me know how to fix this issue.

RDS Licensing for administrators

MasPAN74 — Wed, 25 Mar 2026 16:22:49 GMT

Hello,

We are planning to acquire 10 RDS User licenses, and I would like to clarify the following points:

Will access be limited to 10 simultaneous rdp session, or can administrators still access the server normally via RDP?

Do administrators connecting using mstsc /admin require an RDS license, or is this access exempt?

In the past (Windows Server 2016), I recall that exceeding the number of licenses allowed temporary RDP sessions. Could you confirm if this behavior is still the same?

Thank you in advance for your clarification.

VMWARE ESXi and Winddows VM Licenses

nunoabsilva — Wed, 25 Mar 2026 16:18:13 GMT

We have one VMware environment with 3 servers each with 2 CPUs, to be properly legal he acquired 6 Windows Server Datacenter Edition licenses, what happens is that when he is trying to activate the VMs that are in Windows Server Standard he gets the error that you see in the image.

Licensing was carried out correctly as described in the Windows Server 2025 License Guide, in summary: all CPUs and Cores) in the virtualization cluster were licensed.

can anyone advise the right way to use the Datacentre License in ESXi environment?

thanks in advanced

dcdiag crash with incorrect /s parameter

Nolme — Wed, 25 Mar 2026 15:59:37 GMT

Hello,

I find a mistake in my script which cause DCDiag to crash :

dcdiag /v /c /d /e /s:%computername% > C:\Temp\dcdiag.txt

%computername% is the mistake. I replaced it by the real server name.

Seems like input it not enough checked.

Vincent

Problem in Windows Server 2022

anoriega74 — Mon, 23 Mar 2026 22:35:27 GMT

Hello, I need help with the following: I had the video application installed and working on a VPS with Windows Server 2022, and suddenly it stopped working. It won't start, and it doesn't show any errors or events that I can analyze in the viewer. Does anyone have any idea what might be happening? I've already tried many AI recommendations, from uninstalling and reinstalling an older version of the application to uninstalling the latest server update, among other things. I also tried installing it on another VPS, and it shows the same problem.

Bookmark the Secure Boot playbook for Windows Server

Mabel_Gomes — Wed, 11 Mar 2026 00:29:14 GMT

Secure Boot is a long‑standing security capability that works in conjunction with the Unified Extensible Firmware Interface (UEFI) to confirm that firmware and boot components are trusted before they are allowed to run. Microsoft is updating the Secure Boot certificates originally issued in 2011 to ensure Windows devices continue to verify trusted boot software. These older certificates begin expiring in June 2026.

While Windows Server 2025 certified server platforms already include the 2023 certificates in firmware. For servers that do not, you will need to manually update the certificates. Unlike Windows PCs, which may receive the 2023 Secure Boot certificates through Controlled Feature Rollout (CFR) as part of the monthly update process, Windows Server requires manual action.

Luckily, there is a step=by-step guide to help! With the Secure Boot Playbook for Windows Server, you'll find information on the tools and options available to help you update Secure Boot certificates on Windows Server. Check it out today!

CrowdStrike Secure Boot Lifecycle Management Content Pack

Mabel_Gomes — Mon, 09 Mar 2026 22:51:07 GMT

CrowdStrike has recently released the Secure Boot Lifecycle Management Content Pack. This new feature helps Falcon for IT module users manage Windows Secure Boot certificate updates ahead of these certificates’ expiration beginning in late June 2026.

The dashboard provides an at‑a‑glance view of Secure Boot–enabled devices, showing which systems are already compliant with the updated 2023 Secure Boot certificate, which are in progress, and which are blocked or require opt‑in to a managed rollout. It also highlights certificate update failures that may require investigation.

In addition, overall readiness is summarized through a compliance gauge, while a 30‑day trend shows how pass and fail counts change as remediation progresses. Filters by operating system, server edition, hostname, and update status help administrators quickly identify devices that need action to help ensure systems remain secure after the certificates expire.

The feature also provides management options to opt devices into Microsoft's managed rollout for gradual, tested deployment, and to block updates on hardware with known compatibility issues to prevent boot failures.

Note that this feature is available as part of CrowdStrike's Falcon for IT module. CrowdStrike Endpoint Detection and Response (EDR) customers who are not licensed for this module can enable a free trial from the CrowdStrike Store. To learn more about this feature, please see the content pack tutorial video.

PS script for moving clustered VMs to another node

pabloh11 — Mon, 09 Mar 2026 16:39:17 GMT

Windows Server 2022, Hyper-V, Failover cluster
We have a Hyper-V cluster where the hosts reboot once a month. If the host being rebooted has any number of VMs running on it the reboot can take hours. I've proven this by manually moving VM roles off of the host prior to reboot and the host reboots in less than an hour, usually around 15 minutes.

Does anyone know of a powershell script that will detect clustered VMs running on the host and move them to another host within the cluster? I'd rather not reinvent this if someone's already done it.

CSV Auto-Pause on Windows Server 2025 Hyper-V Cluster

BadgerMD974 — Thu, 26 Feb 2026 11:32:17 GMT

Hi everyone, i'm facing a very strange behavior with a newly created HyperV Clsuter running on Windows Server 2025. One of the two nodes keep calling for autopause on the CSV during the I/O peak. Does anyone have experienced this ?

Here are the details :

Environment

Cluster: 2-node Failover Cluster

Nodes: HV1 & HV2 (HPE ProLiant DL360 Gen11)

OS: Windows Server 2025 Datacenter, Build 26100.32370 (KB5075899 installed Feb 21, 2026)

Storage: HPE MSA 2070 full SSD, iSCSI point-to-point (4×25 Gbps per node, 4 MPIO paths)

CSV: Single volume "Clsuter Disk 2" (~14 TB, NTFS, CSVFS_NTFS)

Quorum: Disk Witness (Node and Disk Majority)

Networking: 4×10 Gbps NIC Teaming for management/cluster/VMs traffic, dedicated iSCSI NICs

Problem Description

The cluster experiences CSV auto-pause events daily during a peak I/O period (~10:00-11:30), caused by database VMs generating ~600-800 MB/s (not that much). The auto-pause is triggered by HV2's CsvFs driver, even though HV2 hosts no VMs. All VMs run on HV1, which is the CSV coordinator/owner.

Comparative Testing (Feb 23-26, 2026)

Date	HV2 Status	Event 5120	SMB Slowdowns (1054)	Auto-pause Cycles	VM Impact
Feb 23	Active	1	44	1 cycle (237ms recovery)	None
Feb 24	Active	0	8	0	None
Feb 25	Drained (still in cluster)	4	~60 (86,400,000ms max!)	3 cascade cycles	Severe - all VMs affected
Feb 26	Powered off	0	0	0	None

Key finding: Draining HV2 does NOT prevent the issue. Only fully powering off HV2 eliminates all auto-pause events and SMB slowdowns during the I/O peak.

Root Cause Analysis

1. CsvFs Driver on HV2 Maintains Persistent SMB Sessions to CSV

SMB Client Connectivity log (Event 30833) on HV2 shows ~130 new SMB connections per hour to the CSV share, continuously, constant since boot:

Share: \\xxxx::xxx:xxx:xxx:xxx\xxxxxxxx-...-xxxxxxx$ (HV1 cluster virtual adapter)

All connections from PID 4 (System/kernel) — CsvFs driver

5,649 connections in 43.6 hours = ~130/hour

Each connection has a different Session ID (not persistent)

This behavior continues even when HV2 is drained

2. HV2 Opens Handles on ALL VM Files

During the I/O peak on Feb 25, SMB Server Operational log (Event 1054) on HV1 showed HV2 blocking on files from every VM directory, including powered-off VMs and templates:

.vmgs, .VMRS, .vmcx, .xml — VM configuration and state files

.rct, .mrt — RCT/CBT tracking files

Affected VMs: almost all

Also affected: powered-off VMs

And templates: winsrv2025-template

3. Catastrophic Block Durations

On Feb 25 (HV2 drained but still in cluster):

Operations blocked for 86,400,000 ms (exactly 24 hours) — handles accumulated since previous day

These all expired simultaneously at 10:13:52, triggering cascade auto-pause

Post-autopause: big VM freeze/lag for additional 2,324 seconds (39 minutes)

On Feb 24 (HV2 active):

Operations blocked for 1,150,968 ms (19 minutes) on one of the VM files

Despite this extreme duration, no auto-pause was triggered that day

4. Auto-pause Trigger Mechanism

HV2 Diagnostic log at auto-pause time:

CsvFs Listener: CsvFsVolumeStateChangeFromIO->CsvFsVolumeStateDraining, status 0xc0000001 OnVolumeEventFromCsvFs: reported VolumeEventAutopause to node 1

Error status 0xc0000001 (STATUS_UNSUCCESSFUL) on I/O operation from HV2

CsvFsVolumeStateChangeFromIO = I/O failure triggered the auto-pause

HV2 has no VMs running — this is purely CsvFs metadata/redirected access

5. SMB Connection Loss During Auto-pause

SMB Client Connectivity on HV2 at auto-pause time:

Event 30807: Share connection lost - "Le nom réseau a été supprimé" Event 30808: Share connection re-established

What Has Been Done

KB5075899 installed (Feb 21) — Maybe improved recovery from multi-cycle loop to single cycle a little, but did not prevent the auto-pause

Disabled ms_server binding on iSCSI NICs (both nodes)

Tuned MPIO: PathVerification Enabled, PDORemovePeriod 120, RetryCount 6, DiskTimeout 100

Drained HV2 — no effect

Powered off HV2 — Completely eliminated the problem

I'm currently running mad with this problem, i've deployed a lot of HyperV clusters and it's the first time i'm experiencing such a strange behavior, the only workaround i found is to take the second nodes off to be sure he is not putting locks on CSV files. The cluster is only running well with one node turned on.

Why does the CsvFs driver on a non-coordinator node (HV2) maintain ~130 new SMB connections per hour to the CSV, even when it hosts no VMs and is drained?Why do these connections block for up to 24 hours during I/O peaks on the coordinator node?

Why does draining the node not prevent CsvFs from accessing the CSV?

Is this a known issue with the CsvFs driver in Windows Server 2025 Build 26100.32370?

Are there any registry parameters to limit or disable CsvFs metadata scanning on non-coordinator nodes ?

If someone sees somthing that i am missing i would be so grateful !

Have a great day.

WMI Filter for non-Hyper-V Host

PepeLePew — Sat, 21 Feb 2026 19:24:03 GMT

I have been struggling for several days trying to set a GPO WMI Filter that would apply settings to any server, virtual or physical, as long as it is not the Hyper-V Host. It should apply to any VM on VMWare or on Hyper-V hypervisors.

I found many suggestions online but none of them really work, like looking for Hypervisorpresent, that is also set to TRUE on VMs so no help. I have many ways to find and apply to an Hyper-V but EXCLUDING Hyper-Vs seems to be a tough one, the WMI filters are designed to find something and apply if it finds it, not the opposite. I have tried queries on the OptionalFeatures class, again it helps me find the Hyper-V but not EXCLUDE it.

Anyone have an idea about doing this.

BTW, this is to apply a setting only to non-Hyper-V and ignore if it is an Hyper-V. I am also trying to avoid blocking GPOs at a specific OU and re-linking all but 1 GPO from that level, I have to assume that there is a way to target all servers except Hyper-V.

Hopefully someone has succeeded in doing the same.

Thank you