Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Find information on known issues and the servicing status for Windows 10, version 1809 and Windows Server 2019. For immediate help with Windows update issues, click here if you are using a Windows device to open the Get Help app or go to support.microsoft.com. Follow @WindowsUpdate on X (formerly Twitter) for Windows release health updates. If you are an IT administrator and want to programmatically get information from this page, use the Windows Updates API in Microsoft Graph.
Current status as of May 2, 2025
Windows 10 Enterprise LTSC 2019, Windows 10 IoT Enterprise LTSC 2019, and Windows Server 2019 will have mainstream support until January 9, 2029.
As of May 11, 2021, all editions of Windows 10, version 1809 and Windows Server 2019, except LTSC editions, have reached end of servicing. Devices running these editions will no longer receive security updates containing protections from the latest security threats.
As always, we recommend that you upgrade eligible devices to the latest version of Windows as soon as possible to ensure that you can take advantage of features and advanced protections from the latest security threats. For information about servicing timelines and lifecycle, see the Windows 11 release information, Windows 10 release information, Windows Server 2019, Windows Lifecycle FAQ, and Microsoft Lifecycle Policy search tool.
Known issues
See open issues, content updated in the last 30 days, and information on safeguard holds. To find a specific issue, use the search function on your browser (CTRL + F for Microsoft Edge).
| Summary | Originating update | Status | Last updated |
|---|---|---|---|
| Logon might fail with Windows Hello in Key Trust mode and log Kerberos Events The April 2025 update may trigger behavior in ___domain controllers that logs Kerberos event IDs 45 and 21 | OS Build 17763.7136 KB5055519 2025-04-08 | Confirmed | 2025-05-13 00:16 PT |
| August 2024 security update might impact Linux boot in dual-boot setup devices This issue might impact devices with dual-boot setup for Windows and Linux when SBAT setting is applied | OS Build 17763.6189 KB5041578 2024-08-13 | Resolved KB5058392 | 2025-05-13 10:05 PT |
| Windows Server 2022 and Server 2019 unexpectedly upgraded to Windows Server 2025 This issue has been mitigated. It was observed when updates were managed through some third-party applications. | N/A | Mitigated | 2024-11-13 17:15 PT |
| Apps that acquire or set Active Directory Forest Trust Information might have issues Apps using Microsoft .NET to acquire or set Forest Trust Information might fail, close, or you might receive an error. | OS Build 17763.2452 KB5009557 2022-01-11 | Mitigated | 2022-02-07 15:36 PT |
Issue details
May 2025
Logon might fail with Windows Hello in Key Trust mode and log Kerberos Events
| Status | Originating update | History |
|---|---|---|
| Confirmed | OS Build 17763.7136 KB5055519 2025-04-08 | Last updated: 2025-05-13, 00:16 PT Opened: 2025-05-06, 13:25 PT |
After installing the April Windows monthly security update released April 8, 2025 (KB5055523) or later, Active Directory Domain Controllers (DC) might experience authentication interruptions when processing Kerberos logons or delegations using certificate-based credentials that rely on key trust via the Active Directory msds-KeyCredentialLink field.
Following these updates, the method by which DCs validate certificates used for Kerberos authentication has changed, and will now require that certificates are chained to an issuing certificate authority (CA) in the NTAuth store. This is related to security measures described in KB5057784 - Protections for CVE-2025-26647 (Kerberos Authentication). As a result, authentication failures might be observed in Windows Hello for Business (WHfB) Key Trust environments or environments that have deployed Device Public Key Authentication (also known as Machine PKINIT). Other products which rely on this feature can also be impacted.
Enablement of this validation method can be controlled by the Windows registry value AllowNtAuthPolicyBypass in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc. Two scenarios can be observed following installation of the April 2025 Windows monthly security update on authenticating DCs:
- When registry value AllowNtAuthPolicyBypass is unconfigured or set to "1", Kerberos-Key-Distribution-Center event ID 45 is repeatedly recorded in the DC system event log, with text similar to "The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to an Issuing CA in the NTAuth store". This is a new event, intentionally logged by DCs servicing authentication requests using unsafe certificates. Although this event may be logged excessively, please note that related logon operations are otherwise successful, and no other change is observed outside of these event log records.
- When registry value AllowNtAuthPolicyBypass is set to "2", self-signed certificate-based authentication fails. Kerberos-Key-Distribution-Center event ID 21 is recorded in the DC system event log. This is a legacy event logged when certificate-based authentication fails, and is intentionally logged when a DC services an authentication request using an unsafe certificate. The event description text for this event may vary.
Note that if the AllowNtAuthPolicyBypass registry key does not exist, the DC will behave as if the value is configured to “1”. The key may be created manually, if it does not exist, and configured as per above.
Windows Updates released on and after April 8, 2025 incorrectly log Event IDs 45 and 21 when servicing authentication requests using self-signed certificates that will never chain to a CA in the NTAuth store. Self-signed certificates may be used by the AD PKINIT Key Trust feature in the following scenarios:
- Windows Hello for Business (WHfB) Key Trust deployments
- Device Public Key Authentication (also known as Machine PKINIT).
- Other scenarios that rely on the msds-KeyCredentialLink field, such as smart card products, third-party single sign-on (SSO) solutions, and identity management systems.
Workaround: Administrators should temporarily delay setting a value of ‘2’ to registry key AllowNtAuthPolicyBypass on updated DCs servicing self-signed certificate-based authentication. For more information, see the Registry Settings section of KB5057784.
Next steps: Microsoft is aware of this issue. It is important to us that organizations can accurately monitor and test for compliance with security measures using the registry values made available after the April 8, 2025 Windows updates. We are working on a solution and will provide an update as soon as possible.
Affected platforms:
- Client: None
- Server: Windows Server 2025; Windows Server 2022; Windows Server 2019; Windows Server 2016
November 2024
Windows Server 2022 and Server 2019 unexpectedly upgraded to Windows Server 2025
| Status | Originating update | History |
|---|---|---|
| Mitigated | N/A | Last updated: 2024-11-13, 17:15 PT Opened: 2024-11-09, 12:16 PT |
Windows Server 2025 is intended to be offered as an Optional upgrade in Windows Update settings for devices running Windows Server 2019 and Windows Server 2022. Two scenarios were observed in certain environments:
- Some devices upgraded automatically to Windows Server 2025 (KB5044284). This was observed in environments that use third-party products to manage the update of clients and servers. Please verify whether third-party update software in your environment is configured not to deploy feature updates. This scenario has been mitigated.
- An upgrade to Windows Server 2025 was offered via a message in a banner displayed on the device’s Windows Update page, under Settings. This message is intended for organizations that want to execute an in-place upgrade. This scenario has already been resolved.
The Windows Server 2025 feature update was released as an Optional update under the Upgrade Classification: “DeploymentAction=OptionalInstallation”. Feature update metadata must be interpreted as Optional and not Recommended by patch management tools.
We advise organizations to use Microsoft-recommended methods to deploy Windows Server feature updates.
Next steps: Microsoft is working with third-party providers to streamline best practices and recommended procedures. As an interim measure, Microsoft has also temporarily paused the upgrade offer via the Windows Update settings panel. We estimate it will be available in the first half of 2025. All other upgrading methods to install Windows Server 2025 are still available through the usual channels.
Once the offer via Windows Update resumes, IT administrators will be able to control the feature update offer banner by setting the target version to “hold” in the Group Policy “Select the target Feature Update version.” To learn how to manage feature updates via this group policy, see Manage Feature Updates with Group Policy on Windows Server.
Note: The Windows Server 2025 feature update was made available on November 1, 2024, as KB5044284, which was the same KB number used for Windows 11, version 24H2. This is the KB numbering for both client and server Windows updates. Future updates released for Windows Server 2025 and Windows 11, version 24H2 will share the same KB numbers, but will have different release note sites and links.
Affected platforms:
- Client: None
- Server: Windows Server 2025; Windows Server 2022; Windows Server 2019
August 2024
August 2024 security update might impact Linux boot in dual-boot setup devices
| Status | Originating update | History |
|---|---|---|
| Resolved KB5058392 | OS Build 17763.6189 KB5041578 2024-08-13 | Resolved: 2025-05-13, 10:00 PT Opened: 2024-08-21, 18:33 PT |
After installing the August 2024 Windows security update, (KB5041578) or the August 2024 preview update, you might face issues with booting Linux if you have enabled the dual-boot setup for Windows and Linux in your device. Resulting from this issue, your device might fail to boot Linux and show the error message “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”
The August 2024 Windows security and preview updates apply a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old, vulnerable boot managers. This SBAT update will not be applied to devices where dual booting is detected. On some devices, the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied.
IMPORTANT: This known issue only occurs with the installation of the August 2024 security and preview updates. The September 2024 security update and later updates do not contain the settings that caused this issue.
Resolution: This issue was resolved by Windows updates released May 13, 2025 (KB5058392), and later. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.
Note: On Windows-only systems, after installing the September 2024 or later updates, you can set the registry key documented in CVE-2022-2601 and CVE-2023-40547 to ensure the SBAT security update is applied. On systems that dual-boot Linux and Windows, there are no additional steps necessary after installing the September 2024 or later updates.
Affected platforms:
- Client: Windows 11, version 23H2; Windows 11, version 22H2; Windows 11, version 21H2; Windows 10, version 22H2; Windows 10, version 21H2; Windows 10 Enterprise 2015 LTSB
- Server: Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
February 2022
Apps that acquire or set Active Directory Forest Trust Information might have issues
| Status | Originating update | History |
|---|---|---|
| Mitigated | OS Build 17763.2452 KB5009557 2022-01-11 | Last updated: 2022-02-07, 15:36 PT Opened: 2022-02-04, 16:57 PT |
After installing updates released January 11, 2022 or later, apps using Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information might fail, close, or you might receive an error from the app or Windows. You might also receive an access violation (0xc0000005) error. Note for developers: Affected apps use the System.DirectoryServices API.
Next Steps: This issue was resolved in the out-of-band update for the version of .NET Framework used by the app. Note: These out-of-band updates are not available from Windows Update and will not install automatically. To get the standalone package, search for the KB number for your version of Windows and .NET Framework in the Microsoft Update Catalog. You can manually import these updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. For WSUS instructions, see WSUS and the Catalog Site. For Configuration Manger instructions, see Import updates from the Microsoft Update Catalog.
For instructions on how to install this update for your operating system, see the KB articles listed below:
- Windows Server 2022:
- .NET Framework 4.8 KB5011258
- Windows Server 2019:
- Windows Server 2016:
- Windows Server 2012 R2:
- Windows Server 2012:
Affected platforms:
- Client: None
- Server: Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Report a problem with Windows updates
To report an issue to Microsoft at any time, use the Feedback Hub app. To learn more, see Send feedback to Microsoft with the Feedback Hub app.
Need help with Windows updates?
Search, browse, or ask a question on the Microsoft Support Community. If you are an IT pro supporting an organization, visit Windows release health on the Microsoft 365 admin center for additional details.
For direct help with your home PC, use the Get Help app in Windows or contact Microsoft Support. Organizations can request immediate support through Support for business.
View this site in your language
This site is available in 11 languages: English, Chinese Traditional, Chinese Simplified, French (France), German, Italian, Japanese, Korean, Portuguese (Brazil), Russian, and Spanish (Spain). All text will appear in English if your browser default language is not one of the 11 supported languages. To manually change the display language, scroll down to the bottom of this page, click on the current language displayed on the bottom left of the page, and select one of the 11 supported languages from the list.