Windows Server for IT Pro topics

SCCM- Upgrade from 2409 to 2509 WSUS timeout issue

cidk2000 — Sat, 06 Jun 2026 17:14:41 GMT

Had a working task sequence on 2409 that performed software updates at the end of the task sequence.

Upgraded to 2509 - I get a timeout issue when getting to that point on the task sequence.

Ive performed maintenance on the WSUS Server, (obsolete, expired etc)

I removed the Software Update Point - and re installed it selected the Products of Server 2016,2019, server operating system 21h2 , Windows 10 1903 or later and Windows 11.

rebooted both the SCCM and SQL Server. after doing the above but the HRESULT 0x80244010 still persists. "Exceeded max server round trips" — client couldn't retrieve all updates in one cycle.

Software centre updates in the OS seem to be unaffected or unknown if clients are affected, only in a task sequence this occurs.

Blog posts refer to older items, what would cause this to fail after a upgrade from 2409 to 2509?

AI help repeats about reducing metadata and updates but for weird reason i keep getting 700+ updates for the above categories!

RDP Client - incorrect keyboard shortcut action in German localization

KnuthKonrad — Fri, 05 Jun 2026 09:30:11 GMT

In the above dialog, when any of the checkbox controls has the focus, ALT+V toggles the state of the checkbox. ALT+V obviously should trigger "Verbinden" (Connect) instead. But not when the dialog first appears, i.e. none of the controls has the focus. Then ALT+V does nothing. As long as any chekbox control has the focus, ALT-V toggles its state. If the command button "Abbrechen" has the focus, ALT-V does nothing, i.e. ALT-V never triggers "Verbinden" except the command button "Verbinden" itself has the focus.

Steps to reproduce:

Start RDP client to connect to a remote machine
Press ALT-Z -> "Zwischenablage" will be checked as expected
Press ALT-Z again -> "Zwischenablage" will be unchecked as expected
After any of the two steps above, press ALT-V -> "Zwischenablage" will be toggled instead of triggering "Verbinden"
Same goes for "WebAuthn".

Depending on the devices on the local machine an the RDP settings for sharing those, their might be more options with checkbox. I suspect those to behave similarly wrong when pressing ALT-V. The OS doesn't seem to make a difference. I see the same behavior on both Windows 11 and Windows Server 2022.

RDP client version:

Windows server 2025 Application Crashing Events

efpan — Thu, 04 Jun 2026 11:39:39 GMT

I have installed a Windows Server 2025 and after starting it in about 30 minutes the following error appears in the Windows application log .

=======================================

Log Name: Application

Source: Application Error

Date: 4/6/2026 1:51:06 μμ

Event ID: 1000

Task Category: Application Crashing Events

Level: Error

Keywords:

User: SERVER\Administrator

Computer: SERVER.efarmacy.internal

Description:

Faulting application name: backgroundTaskHost.exe, version: 10.0.26100.1, time stamp: 0x5bc61463

Faulting module name: biwinrt.dll, version: 10.0.26100.32230, time stamp: 0xb950595a

Exception code: 0xc000027b

Fault offset: 0x0000000000012713

Faulting process id: 0x1964

Faulting application start time: 0x1DCF4100B5B371A

Faulting application path: C:\WINDOWS\system32\backgroundTaskHost.exe

Faulting module path: C:\Windows\System32\biwinrt.dll

Report Id: a0fa5d15-b026-4d12-a047-d965195ac338

Faulting package full name: MicrosoftWindows.Client.CBS_1000.26100.275.0_x64__cw5n1h2txyewy

Faulting package-relative application ID: Global.Accounts

Event Xml:

<Channel>Application</Channel>

<Computer>SERVER.efarmacy.internal</Computer>

</System>

<Data Name="AppName">backgroundTaskHost.exe</Data>

<Data Name="ModuleName">biwinrt.dll</Data>

<Data Name="AppPath">C:\WINDOWS\system32\backgroundTaskHost.exe</Data>

<Data Name="ModulePath">C:\Windows\System32\biwinrt.dll</Data>

<Data Name="PackageFullName">MicrosoftWindows.Client.CBS_1000.26100.275.0_x64__cw5n1h2txyewy</Data>

<Data Name="PackageRelativeAppId">Global.Accounts</Data>

</EventData>

</Event>

===========================================

I have already done the actions to check the files. The check does not find any problems but the problem continues to appear.

"DISM.exe /Online /Cleanup-image /Restorehealth"

"sfc /scannow".

I would like to know if anyone else has faced this problem and if there is a solution for it.

Thanks in advance .

Remote desktop app hangs when opening a new process

ClayFrie — Mon, 01 Jun 2026 14:42:00 GMT

I have a windows remote desktop server, windows server 2022. We have a few programs we allow access to people published as remote apps. One of the programs exports to Excel by opening excel, creates the workbook/worksheet, but the window does not show and the program hangs waiting for excel to close. The user can't see excel and therefore can't close excel so they are stuck. as an admin, I can connect to the remote desktop server and end task on their excel instance and then they can continue working.

Is there a way to allow the excel window to show when opened by a remote app?

We prefer to only allow our users access to the one app they need to run instead of a desktop.

Creating parent reverse lookup zone when child zones already exist — what happens?

pa5424847 — Tue, 26 May 2026 00:09:52 GMT

We have an AD-integrated DNS environment that has accumulated a large number of reverse lookup zones over time, created without any parent zone — essentially DNS sprawl from years of admins creating individual subnet zones rather than working from a parent.

We currently have approximately 80+ reverse lookup zones including:

Dozens of x.10.in-addr.arpa zones covering various 10.x.x.x subnets
Multiple x.172.in-addr.arpa zones
A handful of others including 100.192.10.in-addr.arpa, 168.192.in-addr.arpa, 204.167.in-addr.arpa, 215.204.167.in-addr.arpa, 135.7.in-addr.arpa

None of these were ever delegated from a parent zone — they were just created independently. The 10.in-addr.arpa zone does not exist.

Domain controllers are a mix of Windows Server 2019 Standard (majority) and Windows Server 2025 Standard.

Our goal is to create 10.in-addr.arpa as the consolidation point going forward — new registrations go there, and we migrate existing child zones into it one at a time, deleting old ones as we go at a pace we're comfortable with.

Before touching anything, we need to understand what creating 10.in-addr.arpa will actually do to the existing child zones.

Specifically:

Will existing records in the child zones be deleted? We've seen the TechNet article documenting records vanishing when creating a child zone under an existing parent — does the same destructive behaviour occur in the reverse direction?
Will auto-delegations be created in the new parent zone pointing to the existing child zones, and if so how quickly?
Will the child zones continue to function normally for queries while the parent exists alongside them?
Will dynamic registration start hitting the parent zone for subnets not covered by an existing child zone, or will something unexpected happen?

We can't test this in a lab as we don't have a replica environment available, and can't risk touching production without understanding the behaviour first. Pointers to any documentation covering this specific scenario would also be appreciated — we've been unable to find anything that addresses creating the parent after the children already exist independently.

Windows Server 2025 DC — LSASS handle leak identified via WinDbg — authz!AuthzpDeQueueThreadWorker

RugAmin1 — Sat, 09 May 2026 00:47:09 GMT

Hello All!! Im having a problem, LSASS crashes on a Windows Server 2025 Domain Controller, I identified what appears to be the root cause using WinDbg memory dump analysis. Sharing this hoping someone else has seen it or Microsoft can confirm.

The Problem

LSASS handle count grows continuously over time and eventually crashes with a 0xC0000005 access violation (Event ID 1015). After a reboot the cycle repeats. The growth rate correlates with authentication load and faster during peak hours, slower overnight.

WinDbg Dump Analysis

Captured LSASS dump at high handle count and ran !handle 0 f:

Token handles: overwhelmingly dominant Everything else: negligible

Every leaked token shows:

GrantedAccess: 0x8 (TOKEN_QUERY only) PointerCount: overflowed to negative integer

Running !findstack authz 2 shows multiple worker threads all sitting in:

authz!AuthzpDeQueueThreadWorker

What Was Tested And Eliminated

Stopped or disabled each individually and measured handle growth rate — zero meaningful difference from any:

- Antivirus (all components) - Backup software - Application services - VSS snapshots - Hardware management agents etc..

Environment

OS: Windows Server 2025, fully patched with the latest updates including April LSASS update. Role: Domain Controller DNS PAM: Not active.

Conclusion

Token handles are opened with TOKEN_QUERY access inside authz!AuthzpDeQueueThreadWorker and never released. Reference counter overflows to negative integer. Growth rate scales directly with authentication load.

Current workaround: reboots during off hours.

Has anyone else seen this pattern on Windows Server 2025? Is there a known fix or Microsoft acknowledgment for this specific authz token handle leak?

Windows Server 2025 update with error 0x80073712

madurantia — Thu, 30 Apr 2026 19:46:44 GMT

Hello

Can I have some help?

Windows Server 2025 Std, V 24H2, OS build: 26100.32522

The 2026-04 Security Update (KB5082063) (26100.32690) fails with the following error:

Installation failed: Windows failed to install the following update with error 0x80073712: 2026-04 Security Update (KB5082063) (26100.32690).

Thanks in advance

MadUrantia

AD Replication Error 1908 (Source DSA)

M_i_g_u_e_l — Thu, 23 Apr 2026 14:28:27 GMT

Hi all,

I’m troubleshooting an Active Directory replication issue (error 1908 – “Could not find the domain controller”) in a multi-site environment with 16 domain controllers across multiple locations.

The problematic Domain Controller (Site A-DC) is displaying a 6% failure in the replication summary with the 1908 error code in the Source DSA but the Destination DSA do not display any errors. If I replsummary in other DCs, I will see the same result. However, If I run the showrepl command, the result displays all successful replications with no errors.

A-DC is used as a replication path and holds the FSMOs roles (Site A is the main DC) and I believe it is also affecting DFSR replication from Site A-FS server to the other file servers. A-FS uses A-DC as its logon server.

The below is what I have verified:

I have verified that forward and reversed lookup zones have the correct DNS records (Checked SRV records _ldap._tcp.dc._msdcs, _kerberos._tcp, and IP addresses)
All the DCs resolve correctly A and PTR records
nltest /dsgetdc:domain.com successfully returns domain controller
Confirmed Secure channel to be true in A-FS
Verified KDC is running in A-DC (I have not trying purging the KDC tickets yet but doubt this will resolve the issue)

Troubleshooting performed:

flushed/re-registered DNS
Restarted netlogon services
Time sync wouldn't have a play here since all the other DCs are syncing with A-DC.

Any guidance or similar experiences would be greatly appreciated.

Miguel

Windows Server 2025 - Cannot Pin Tools and Apps on Start Menu

Kayyum M — Sun, 19 Apr 2026 10:41:32 GMT

I am evaluating Windows Server 2025, Version 24H2 (OS Build 26100.32690)

I am unable to pin Admin Tools or any other app on Start Menu.

Taskbar pinning works well but not the Start Menu.

Anyone experiencing the same ?

sign RDP file with timestamp

mkrummenacher — Fri, 17 Apr 2026 10:02:37 GMT

Hi,

after installing the April 2026 update, our customers experience warning messages when using RDP files to connect to their servers hosted by us.

We need to sign the RDP files. But we need to include a timestamp, so the signature stays valid after certificate expiration.

rdpsign.exe does not support timestamping. Set-AuthenticodeSignature is unable to access the private key of our code signing certificate which is stored on a HSM. signtool.exe does not support RDP files.

What is the recommended procedure in this case?

Thank you!

Domain users not able to logon with their password event though it has not been changed....

StoreThomas — Thu, 16 Apr 2026 10:04:06 GMT

Hi, we have this weird problem where some of the users suddenly can't login to their computer with the password they have used for almost 20 years (yes sorry, bad practise).

When the user reports it I check that I can logon to the computer with my own account (not 20 year old password) which works fine. I check the event log for problems both on the client and the DC and all I see is see which I can relate to the problem is event id 4625 with an error code which means bad password.

I check the AD account and see that pwdLastSet has a date in 2006 (not quite 20 years, but close) and I check that the account is not logged out or expired. Also make sure that the password never expires is enabled, so in my book these are all the checks needed and problem not solved.

I then change the password to the same password that the user has had for almost 20 years and problem solved, but problem source not found.

This has happend to 3-4 users within the last week or two, even a service user with domain admin permissions, only thing I pay note to that they have in common is the pwdLastSet in 2006, but I really can't seem to get my head around this being the issue. Also only other thing I can think of that has changed is that the old DC has been removed a few months ago, and a new 2025 DC has been introduced. promote/demote went without issues and this problem didn't surface before now several weeks after the DC change.

So if anyone has experienced something similar or perhaps can point me in a direction for further troubleshooting please let me know.

Thansk

Thomas

Phase 2 of Kerberos RC4 hardening begins with the April 2026 Windows security update

ChrisWright — Wed, 15 Apr 2026 18:42:48 GMT

Windows updates released in April 2026 and later begin the second deployment phase of protections designed to address a Kerberos information disclosure vulnerability (CVE‑2026‑20833). This second phase continues the shift away from legacy encryption types such as RC4 by moving toward stronger default ticket behavior. After installing the April 2026 update, domain controllers default to supporting Advanced Encryption Standard (AES‑SHA1) encrypted tickets for accounts that do not have an explicit Kerberos encryption type configuration.

If your organization relies on service accounts or applications that depend on RC4-based Kerberos service tickets, now is the time to address those dependencies to avoid authentication issues before the Enforcement phase begins in July 2026. Microsoft recommends continuing to monitor the System event log for Kerberos-related audit events and identify and address misconfigurations or remaining dependencies, then enabling enforcement when warning, blocking, or policy events are no longer logged.

See How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833 and CVE‑2026‑20833 to learn more about the vulnerability, timelines, recommended preparation steps, and configuration options to ensure compliance before Enforcement mode begins in July 2026.

2026-04 Update Breaks Domain Logins

EMR88 — Wed, 15 Apr 2026 04:37:18 GMT

I have an Active Directory domain that is old (from 2000!) that has been upgraded and moved to newer versions of Windows Server and Active Directory. I have domain controller VMs running Windows Server 2025 Standard Edition. Unfortunately they installed the latest 2026-04 patches which my have changed the Kerberos encryption from RC4 to AES. This has resulted in my not being able to log into any Active Directory domain accounts and the domain controllers themselves. I can only log into workstations using the local account.

Suffice to say this a nightmare. Any ideas how to fix it since I can't access the usual tools like Active Directory Users and Computers, Hyper-V won't connect to the VMs, etc. Thanks.

Procedures to raise the functional level of AD 2008 r2 to 2019

Marcelo327 — Tue, 14 Apr 2026 13:06:02 GMT

Hello everyone,

Our AD has the Windows Server 2008 functional level and the servers with Windows Server 2016 OS. I intend to raise the functional level to 2019 or 2025. I would like your help with tips and documentation to decide whether 2019 or 2025 would be best, what are the risks and procedures for successful migration. I have an isolated environment to carry out rehearsals and tests before actually going into production.

Virtual printer in windows server 2019 standard is not shown after configuration

AnaRuiz1 — Tue, 14 Apr 2026 08:55:18 GMT

Hello,

I am, trying to configure a virtual printer in a Windows server 2019 standard edition that is deployed in OCI cloud. This instance has windows server license included in the pricing. The problem comes when after ending the process of configuration this virtual printer is not displayed in "Devices and printers" any idea why is this happening?

Regards,

Ana

Error al agregar Windows Server 2025 a dominio existente, nivel funcional 2016

HugoPerez — Sat, 11 Apr 2026 19:23:48 GMT

Buenas a todos,

Me dirijo a esta comunidad en busca de orientación para resolver un problema que se me está presentando al intentar integrar un nuevo servidor con Windows Server 2025 Standard a mi infraestructura de Active Directory existente.

Descripción del entorno:

Dominio de Active Directory activo con Windows Server 2019 Standard.
Nivel funcional de dominio y bosque configurado en Windows Server 2016.
Controladores de dominio actuales: server-dc01.impresoratec y server-ad2019.impresoratec.
El nombre de dominio interno utilizado es impresoratec (nombre NetBIOS/dominio de etiqueta única, sin sufijo DNS completo tipo .local o .com).

Problema:

Al intentar agregar el nuevo servidor con Windows Server 2025 al dominio, el proceso falla y se presenta el siguiente mensaje de error:

"Es posible que el nombre de dominio "impresoratec" sea un nombre de dominio NetBIOS. Si este es el caso, compruebe que el nombre de dominio está registrado correctamente con WINS. [...] La consulta se refería al registro SRV para _ldap._tcp.dc._msdcs.impresoratec. La consulta identificó los siguientes controladores de dominio: server-dc01.impresoratec y server-ad2019.impresoratec. Sin embargo, no se pudo contactar con ningún controlador de dominio."

El mensaje sugiere que los registros de host (A) o (AAAA) pueden contener direcciones IP incorrectas o que los controladores de dominio no son accesibles desde el nuevo servidor.

Lo que he verificado hasta ahora:

Los controladores de dominio existentes están en línea y operativos.
La replicación entre los DCs actuales funciona con normalidad.
El nuevo servidor con 2025 tiene conectividad de red general, pero no logra localizar los DCs al momento de unirse al dominio.

Mi consulta:

¿Alguien ha experimentado este comportamiento al incorporar un servidor con Windows Server 2025 a un dominio con nivel funcional 2016 y un nombre de dominio de etiqueta única (single-label domain)? ¿Existe algún requisito previo adicional —como la actualización del esquema de AD, ajustes en DNS o en WINS— que deba cumplirse antes de agregar el nuevo DC?

Agradezco de antemano cualquier orientación o experiencia que puedan compartir.

Side-by-side Upgrade: Server 2012 R2 Foundation to Server 2025 Essentials

V3N7UR4 — Thu, 09 Apr 2026 11:29:07 GMT

Hello everyone!

Is a side-by-side upgrade from Server 2012 R2 Foundation (DC) to Server 2025 Essentials (DC) allowed?

Is there a guide to follow?

Thank you in advance.

RDP logs in locally

justletmelogin50 — Wed, 01 Apr 2026 06:19:34 GMT

Hi all,

Have a Windows 2022 21H2 server, VM on vSphere.

When attempting to RDP to it, I briefly see the desktop before getitng the error - you have been disconnected because another connection was made to the remote computer.

I note that when viewing the server in vCentre, the 'local' desktop logs in when an RDP connection is attempted. This must then be kicking the RDP session. At the moment the only way to manage it is via vCentre which isn't ideal.

Is there a setting somewhere to prevent this from happening?

cheers

ntoskrnl.exe and build version not getting updated after applying KB5078740 on server 2025

aahmed28 — Tue, 31 Mar 2026 17:28:36 GMT

I have installed the latest March patch kb5078740 on server 2025 which was upgraded from server 2022. the patch is showing installed but the ntoskrnl.exe and build version is still showing 10.0.26100.4652. Qualys is detecting it as patch not installed based on file version which should be 10.0.21600.32522. Please let me know how to fix this issue.

RDS Licensing for administrators

MasPAN74 — Wed, 25 Mar 2026 16:22:49 GMT

Hello,

We are planning to acquire 10 RDS User licenses, and I would like to clarify the following points:

Will access be limited to 10 simultaneous rdp session, or can administrators still access the server normally via RDP?

Do administrators connecting using mstsc /admin require an RDS license, or is this access exempt?

In the past (Windows Server 2016), I recall that exceeding the number of licenses allowed temporary RDP sessions. Could you confirm if this behavior is still the same?

Thank you in advance for your clarification.