Resolved issues in Windows Server 2025

Find information on recently resolved issues for Windows Server 2025. To find a specific issue, use the search function on your browser (CTRL + F for Microsoft Edge). For immediate help with Windows update issues, click here if you are using a Windows device to open the Get Help app or go to support.microsoft.com. Follow @WindowsUpdate on X for Windows release health updates. If you are an IT administrator and want to programmatically get information from this page, use the Windows Updates API in Microsoft Graph.

Resolved issues

Issue details

October 2025

Smartcard authentication issues might occur with the October 2025 Windows update

Smart card authentication and other certificate operations might intentionally fail after installing Windows Updates released on or after October 14, 2025 (KB5066835) that contain protections for the security vulnerability, CVE-2024-30098. As part of this cryptography improvement, RSA-based smart card certificates are required to use KSP (Key Storage Provider) instead of CSP (Cryptographic Service Provider).

Common symptoms for certificates that use CSP include:

• ​Smart cards not being recognized as CSP providers (Cryptographic Service Provider) in 32-bit applications
• ​Inability to sign documents
• ​Failures in applications relying on certificate-based authentication
• ​Users might observe error messages such as "invalid provider type specified" and "CryptAcquireCertificatePrivateKey error."

You can detect if your smart card will be affected by this security enforcement if, prior to installing the October 2025 Windows security update (KB5066835), the System log contains Smart Card Service or Microsoft-Windows-Smartcard-Server Event ID: 624 with the message text: "Audit: This system is using CAPI for RSA cryptography operations. Please refer to the following link for more detail: https://go.microsoft.com/fwlink/?linkid=2300823."

Resolution:

For a permanent resolution, developers should update their authenticating app to perform Key Storage Retrieval using Key Storage API documented at Key Storage and Retrieval. Developers should complete this change before Windows updates released in April 2026, at which time the DisableCapiOverrideForRSA workaround listed below is planned to be removed.

Workaround:

If you encounter this issue, you can temporarily resolve it by setting the DisableCapiOverrideForRSA registry key value to 0. This is documented in CVE-2024-30098. Detailed steps to modify the registry key are listed below. Note: This option will be removed in Windows updates, planned for release in April 2026.

Steps to Modify the Registry

⚠️ Important: Editing the registry incorrectly can cause system issues. Always back up the registry before making changes.

1. Open Registry Editor.

• ​Press Win + R, type regedit, and press Enter.
• ​If prompted by User Account Control, click Yes.

2. Navigate to the subkey.

• ​Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais

3. Edit the key and set the value.

• ​Inside Calais, check if key DisableCapiOverrideForRSA exists
• ​Double-click DisableCapiOverrideForRSA.
• ​In Value date, enter: 0

Note: The DisableCapiOverrideForRSA registry setting is NOT added by the default OS install or the installation of Windows Updates and must be manually added on each device.

4. Close and restart.

• ​Close Registry Editor.
• ​Restart the computer for changes to take effect.

Affected platforms:

• ​Client: Windows 11, version 25H2; Windows 11, version 24H2; Windows 11, version 23H2; Windows 11, version 22H2; Windows 10, version 22H2
• ​Server: Windows Server 2025; Windows Server 23H2; Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2

USB mouse and keyboard not working in the Windows Recovery Environment (WinRE)

After installing the Windows security update released on October 14, 2025 (KB5066835), USB devices, such as keyboards and mice, do not function in the Windows Recovery Environment (WinRE). This issue prevents navigation of any of the recovery options within WinRE. Note that the USB devices continue to work normally within the Windows operating system.

Resolution: This issue was resolved by the Windows out-of-band update, released October 20, 2025 (KB5070773), which is available via the Microsoft Update Catalog, and updates released after that date. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.

Workaround: If your device is impacted by this issue and is unable to boot to Windows to install the latest Windows update, you can work around this issue using one of the following methods:

• ​If your PC has a touchscreen, you can use the touchscreen's touch keyboard to navigate within WinRE.
• ​If your PC has a PS/2 port, you can use a PS/2 keyboard or mouse to navigate within WinRE.
• ​If you had previously created a USB recovery drive, you can boot your computer from the recovery drive. This will take you directly to WinRE with restored USB functionality.
• ​OEMs and enterprises can use the Preboot Execution Environment (PXE) in Configuration Manager, or can deploy push-button reset features using the Windows Assessment and Deployment Kit (Windows ADK) and Windows Preinstallation Environment (WinPE) add-on to recover affected devices.

Affected platforms:

• ​Client: Windows 11, version 25H2; Windows 11, version 24H2
• ​Server: Windows Server 2025

September 2025

Non-admins might receive unexpected UAC prompts when doing MSI repair operations

A security improvement was included in the August 2025 Windows security update (KB5063878) and later updates to enforce the requirement that User Account Control (UAC) prompt for administrator credentials when performing Windows Installer (MSI) repair and related operations. This improvement addressed security vulnerability CVE-2025-50173.

As a result, after installing the August 2025 Windows security update and later updates, UAC prompts for administrator rights can appear for standard users in the following scenarios:

• ​Running MSI repair commands (such as msiexec /fu).
• ​Launching Autodesk applications, including some versions of AutoCAD, Civil 3D and Inventor CAM, or when installing an MSI file after a user signs into the app for the first time.
• ​Installing applications that configure themselves per user.
• ​Running Windows Installer during Active Setup.
• ​Deploying packages via Manager Configuration Manager (ConfigMgr) that rely on user-specific "advertising" configurations.
• ​Enabling Secure Desktop.

If a standard user runs an app that initiates an MSI repair operation without displaying UI, it will fail with an error message. For example, installing and running Office Professional Plus 2010 as a standard user will fail with Error 1730 during the configuration process.

Resolution:

After installing the September 2025 Windows security update (KB5065426) or later updates, UAC prompts will only be required during MSI repair operations if the target MSI file contains an elevated custom action. 

Since UAC prompts will still be required for apps that perform custom actions, after installing this update, IT admins will have access to a workaround to disable UAC prompts for specific apps by adding MSI files to an allowlist. For details, see the KB article: Unexpected UAC prompts when running MSI repair operations after installing the August 2025 Windows security update.

A Group Policy had previously been made available from Microsoft’s Support for business using Known Issue Rollback (KIR) to work around this issue. Organizations no longer need to install and configure this Group Policy to address this issue.

Affected platforms:

• ​Client: Windows 11, version 24H2; Windows 11, version 23H2; Windows 11, version 22H2; Windows 10, version 22H2; Windows 10, version 21H2; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB

• ​Server: Windows Server 2025; Windows Server 2022; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012

July 2025

Issues occur when using Microsoft Changjie Input Method

Following installation of the July 2025 Windows security updates (KB5062553), there might be issues when using the Microsoft Changjie IME (input method editor) for Traditional Chinese.

This issue only affects devices where Traditional Chinese is a preferred or common language or input method, and specifically where Changjie IME is used. Reported symptoms include:

• ​inability to form or select words after typing the full composition (associate phrase window)
• ​spacebar or blank key not responding
• ​incorrect or distorted word outputs
• ​the conversion candidate window fails to display properly

Microsoft Changjie is an IME that is included in Windows and available in currently supported versions.

Resolution: This issue is resolved in the July 2025 Windows non-security update (KB5062660) and later updates. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.

If you have installed Windows updates released before before July 2025, you can use the following workaround. Windows IME supports a compatibility setting that allows using the previous version of an IME instead. Employing this option should help resolve this issue.

To revert to old version of the Microsoft Changjie IME, follow these steps:

1. ​Open the Language & region setting. This can be accomplished by opening the Settings app, selecting Time & Language, then Language & Regions. You can also open the start menu and type "language" and select the top result.
2. ​If Traditional Chinese is used on this device, the Chinese (Traditional) option will appear near the top. Select the three dots next to Chinese (Traditional) to open a menu and select Language Options.
3. ​Under Keyboards, select the three dots next to Microsoft Changjie and select Keyboard Options from the menu.
4. ​Under Compatibility, set the "Use previous version of Microsoft Changjie" option to On. Then select OK.

Affected platforms:

• ​Client: Windows 11, version 24H2; Windows 11, version 23H2; Windows 11, version 22H2; Windows 10, version 22H2; Windows 10, version 1809; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
• ​Server: Windows Server 2025; Windows Server 2022; Windows Server, version 1809; Windows Server 2016

Some Azure Virtual Machines with Trusted Launch disabled might fail to start

A small subset of Azure Virtual Machines (VMs) running Windows Server 2025 or Windows 11, version 24H2, with Trusted Launch disabled, and Virtualization-Based Security (VBS) enforced via registry key might fail to boot after installing the July Windows security update (KB5062553).

To check if your virtual machine might be impacted:

1. ​Check if your VM is created as “Standard”.
2. ​Check if VBS is enabled. Open System Information (msinfo32.exe) and confirm that Virtualization-based security is running and that the Hyper-V role is not installed in the VM.

Resolution: This issue was resolved in the out-of-band (OOB) update KB5064489, which is available via the Microsoft Update Catalog.  If your virtual machine configuration is impacted by this issue, we recommend installing this out-of-band update instead of KB5062553.

Administrators can receive updated VM images for all editions of Windows Server 2025, including hotpatch editions. The new media is documented in the article, Windows Server images for July 2025.

Note: You can also prevent this issue by enabling Trusted Launch. Trusted Launch is required for Virtual Machines running Windows 11.

Affected platforms:

• ​Client: Windows 11, version 24H2
• ​Server: Windows Server 2025

May 2025

Logon might fail with Windows Hello in Key Trust mode and log Kerberos Events

After installing the April Windows monthly security update released April 8, 2025 (KB5055523) or later, Active Directory Domain Controllers (DC) might experience authentication interruptions when processing Kerberos logons or delegations using certificate-based credentials that rely on key trust via the Active Directory msds-KeyCredentialLink field.

Following these updates, the method by which DCs validate certificates used for Kerberos authentication has changed, and will now require that certificates are chained to an issuing certificate authority (CA) in the NTAuth store. This is related to security measures described in KB5057784 - Protections for CVE-2025-26647 (Kerberos Authentication). As a result, authentication failures might be observed in Windows Hello for Business (WHfB) Key Trust environments or environments that have deployed Device Public Key Authentication (also known as Machine PKINIT). Other products which rely on this feature can also be impacted.

Enablement of this validation method can be controlled by the Windows registry value AllowNtAuthPolicyBypass in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc. Two scenarios can be observed following installation of the April 2025 Windows monthly security update on authenticating DCs:

• ​When registry value AllowNtAuthPolicyBypass is unconfigured or set to "1", Kerberos-Key-Distribution-Center event ID 45 is repeatedly recorded in the DC system event log, with text similar to "The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to an Issuing CA in the NTAuth store". This is a new event, intentionally logged by DCs servicing authentication requests using unsafe certificates. Although this event may be logged excessively, please note that related logon operations are otherwise successful, and no other change is observed outside of these event log records.

• ​When registry value AllowNtAuthPolicyBypass is set to "2", self-signed certificate-based authentication fails. Kerberos-Key-Distribution-Center event ID 21 is recorded in the DC system event log. This is a legacy event logged when certificate-based authentication fails, and is intentionally logged when a DC services an authentication request using an unsafe certificate. The event description text for this event may vary.

Note that if the AllowNtAuthPolicyBypass registry key does not exist, the DC will behave as if the value is configured to “1”. The key may be created manually, if it does not exist, and configured as per above.

Windows Updates released on and after April 8, 2025 incorrectly log Event IDs 45 and 21 when servicing authentication requests using self-signed certificates that will never chain to a CA in the NTAuth store. Self-signed certificates may be used by the AD PKINIT Key Trust feature in the following scenarios:

• ​Windows Hello for Business (WHfB) Key Trust deployments
• ​Device Public Key Authentication (also known as Machine PKINIT).
• ​Other scenarios that rely on the msds-KeyCredentialLink field, such as smart card products, third-party single sign-on (SSO) solutions, and identity management systems.

Resolution: This issue was resolved by Windows updates released June 10, 2025 (KB5060842), and later. We recommend you install the latest security update for your device as it contains important improvements and issue resolutions, including this one.

If you install an update released June 10, 2025 or later, you do not need to use a workaround for this issue. If you are using an update released before this date and have this issue, you should temporarily delay setting a value of ‘2’ to registry key AllowNtAuthPolicyBypass on updated DCs servicing self-signed certificate-based authentication. For more information, see the Registry Settings section of KB5057784.

Affected platforms:

• ​Client: None
• ​Server: Windows Server 2025; Windows Server 2022; Windows Server 2019; Windows Server 2016

April 2025

Domain controllers manage network traffic incorrectly after restarting

Windows Server 2025 domain controllers (such as servers hosting the Active Directory domain controller role) might not manage network traffic correctly following a restart. As a result, Windows Server 2025 domain controllers may not be accessible on the domain network, or are incorrectly accessible over ports and protocols which should otherwise be prevented by the domain firewall profile.

This issue results from domain controllers failing to use domain firewall profiles whenever they’re restarted. Instead, the standard firewall profile is used. Resulting from this, applications or services running on the domain controller or on remote devices may fail, or remain unreachable on the domain network. 

Workaround: The expected behavior can be restored if the network adapter is restarted. This can be performed manually in various ways, such as using the following command via PowerShell:

Restart-NetAdapter * 

Please note that, since this issue triggers whenever the domain controller is restarted, this workaround must be repeated every time the domain controller is restarted. It may be helpful to create a scheduled task which restarts the network adapter any time the domain controller is restarted.

Resolution: This issue is resolved in the June 2025 Windows security update (KB5060842) and later updates. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one. 

Affected platforms:

• ​Client: None
• ​Server: Windows Server 2025

Authentication issues due to failed password rotation in Kerberos

After installing Windows Server 2025, devices using the Identity Update Manager certificate/Public Key Cryptography for Initial Authentication (PKNIT), might experience an issue with passwords not rotating correctly, causing authentication failures. This issue occurs particularly when Kerberos Authentication is used and the Credential Guard feature is enabled. Note that machine certification using PKINIT path is a niche use case, and this issue affects a small number of devices in enterprise environments.

With this issue, devices fail to change their password every 30 days as the default interval. Because of this failure, devices are perceived as stale, disabled, or deleted, leading to user authentication issues. 

Devices running Windows Home edition are unlikely to be affected by this issue, as Kerberos authentication is typically used in enterprise environments and is not common in personal or home settings. 

Resolution:  

This issue is resolved in the April 2025 Windows security update (KB5055523) and later updates. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one. 

Note: The feature Machine Accounts in Credential Guard, which is dependent on password rotation via Kerberos, has been disabled until a permanent fix is made available. 

Affected platforms:

• ​Client: Windows 11, version 24H2

• ​Server: Windows Server 2025

March 2025

Remote Desktop might freeze after installing the February 2025 update

After installing the February 2025 Security update (KB5051987), released February 11, 2025, and later updates, on Windows Server 2025 devices, you might experience Remote Desktop sessions freezing shortly after connection. When this issue occurs, mouse and keyboard input become unresponsive within the session, requiring users to disconnect and reconnect.

Resolution:

This issue is resolved in KB5055523. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.

Affected platforms:

• ​Client: Windows 11, version 24H2
• ​Server: Windows Server 2025

October 2024

Windows Server 2025 might not run as expected on devices with high core count

Servers which have a high number of logical processors might experience issues running Windows Server 2025. This is presently observed on servers which have more than 256 logical processors.

On these devices, one or more of the following issues might be encountered:

• ​Windows Server 2025 installation or upgrading processes might fail or stop responding.
• ​Starting or restarting Server might take an excessive amount of time, such as 3 hours or more.
• ​An error message on a blue screen appears when starting, restarting, or trying to run an application.

Issues may not trigger consistently, for which it is also possible that the server will start and operate without problem.

To determine whether you are encountering this issue because the number of logical processors on the device exceeds 256, open the Windows Task Manager. This can be accomplished by pressing CTRL+SHIFT+ESC. From there, select the Performance tab and note the number of logical processors reported in the bottom half of the window.

Resolution: This issue was resolved by Windows updates released November 12, 2024 (KB5046617), and later. We recommend you install the latest security update for your device as it contains important improvements and issue resolutions, including this one. If you install an update released November 12, 2024 (KB5046617) or later, you do not need to use a workaround for this issue. If you are using an update released before this date, and have this issue, you have the option to apply the following workaround:

To temporarily prevent this issue, you will need to limit the total number of logical processors on the server to 256 or under. Changing the number of logical processors will vary depending on the firmware installed on your device.

To adjust the number of logical processors, follow these steps:

1. ​Restart your server and enter the UEFI Setup. Navigate through the firmware menus, which may vary by manufacturer.
2. ​Locate any option which allows you to adjust the number of cores per socket.
3. ​Set the number of cores per socket to a value that ensures the total number of logical processors is 256 or fewer. Important: The total number of logical processors is calculated by first multiplying the number of sockets by the number of cores per socket, and then multiplying that result by the number of logical processors per core.
4. ​Restart the server.

Affected platforms:

• ​Client: None
• ​Server: Windows Server 2025

Some text might appear in English during the installation process

When installing Windows Server 2025, some text might appear in English during the installation process, regardless of the language selected for the installation. This will be noticeable if a language other than English has been selected for installation.

Please note, this only occurs when utilizing media - such as CD and USB flash drives - to install Windows Server 2025. This issue is only present on Windows Server media 25100.1742 and above with the use of Multilanguage User Interface (MUI).

Resolution: This issue was resolved by Windows updates released April 8, 2025 (KB5055523), and later. We recommend you install the latest security update for your device as it contains important improvements and issue resolutions, including this one. 

Affected platforms:

• ​Client: None
• ​Server: Windows Server 2025

Error 'boot device inaccessible' might appear in iSCSI environments

Servers which use iSCSI (Internet Small Computer Systems Interface) technology might display an error upon startup, with the message 'boot device inaccessible'.  

This is observed on servers operating under NDIS Poll Mode booting from an iSCSI LUN. Under such configuration, the server will experience the error during startup, after the installation of Windows Server 2025 is completed.

Resolution: This issue was resolved by Windows updates released February 11, 2025 (KB5051987), and later. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.

Affected platforms:

• ​Client: None
• ​Server: Windows Server 2025

Report a problem with Windows updates

To report an issue to Microsoft at any time, use the Feedback Hub app. To learn more, see Send feedback to Microsoft with the Feedback Hub app.

Need help with Windows updates?

Search, browse, or ask a question on the Microsoft Support Community. If you are an IT pro supporting an organization, visit Windows release health on the Microsoft 365 admin center for additional details.

For direct help with your home PC, use the Get Help app in Windows or contact Microsoft Support. Organizations can request immediate support through Support for business.

View this site in your language

This site is available in 11 languages: English, Chinese Traditional, Chinese Simplified, French (France), German, Italian, Japanese, Korean, Portuguese (Brazil), Russian, and Spanish (Spain). All text will appear in English if your browser default language is not one of the 11 supported languages. To manually change the display language, scroll down to the bottom of this page, click on the current language displayed on the bottom left of the page, and select one of the 11 supported languages from the list.