Server 2016 - Publisher Unknown - Certificate Issues - KB5000803


Hi Everyone,


Since the release of KB5000803/KB5000808, we have had our fair share of client issues, mostly pertaining to printers, however one of our Windows 2016 servers seems to be suffering from a few issues just after this update, which we can't explain. OS in question is Windows Server 2016, Build 14393.4283.


I noticed when opening Active Directory Users and Computers, I got a red UAC prompt saying "This app has been blocked for your protection", and mentions the publisher is unknown. The only option it gives is to close the box, so I can't get into ADUC. I then started opening other programs that require elevation, and have the same issue. The only was I can get into the apps, is if I open an elevated command prompt, and open the app from there.


We are also getting bluescreens upon every boot "Critical Service Failed" 0x0000005a. The only way we can boot, is to disable driver signing. 


We have attempted to remove the patch, however the process fails and reverts, so we can't get rid of the patch. We have also run through standard troubleshooting including DISM restore health and SFC scans, however nothing helps. It also look as system restore is not available, and we can't restore either.


We currently have a case open with Microsoft support, but we're not getting very far at the moment.


Has anyone run into this issue, and have any advise?







5 Replies

Fixing these one-offs are not even worth spending any time or trouble. I'd simply stand up a new one for replacement then decommission / demote the broken one.




Hi Dave,

Thanks for your response. We are currently contemplating this option as well.


best response confirmed by David_Bradette (MVP)

Sounds good, quite simple solution.


I'd use dcdiag / repadmin tools to verify health `correcting all errors found` before starting `any` operations. Then stand up the new 2016, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.



Hi Dave,

Thank you for the additions suggestions. We've discussed in internally, and will be proceeding with standing up a new system over the weekend.



Sounds good, you're welcome. It is the much safer / cleaner / quicker solution.