Microsoft Known Issue

Affected customers can use one of the following workarounds to mitigate this issue. Option 1: Allow the update to install by modifying an ESP registry setting Important: Editing the registry incorrectly can cause serious system problems. Always back up the registry before making any changes. Open Command Prompt as an administrator. Run the following command: reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Bfsvc /v EspPaddingPercent /t REG_DWORD /d 0 /f\" Restart the affected device. Retry installing the update. Option 2: Mitigate the issue by using Known Issue Rollback (KIR) This issue is mitigated using Known Issue Rollback (KIR). The resolution has already propagated automatically to consumer devices and non-managed business devices. Restarting your Windows device might help the resolution apply more quickly. Enterprise-managed devices For devices where Windows updates are managed by IT departments, administrators can apply the mitigation by installing and configuring a special Group Policy. You can find the policy at Computer Configuration > Administrative Templates >. Group Policy download Windows 11, version 25H2 and Windows 11, version 24H2: KB5089549 260514_06221 Known Issue Rollback Important: You must install and configure the Group Policy that matches your version of Windows to resolve this issue. You must also restart affected devices to apply the policy. This Group Policy temporarily disables the change that causes the issue. For more information, seeHow to use Group Policy to deploy a Known Issue Rollback. A resolution is in progress and will be included in a future Windows update. This documentation will be updated once the resolution is available.

After installing KB5070892 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

We are working on a resolution and will provide more information when it is available. To temporarily work around this issue, remove the Group Policy configuration before installing the update (Recommended) Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Run the following command on affected devices to propagate the policy change: gpupdate /force Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: ​​​​​​​This updates the BitLocker bindings to use the Windows-selected default PCR profile.

After installing KB5070884 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070881 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070879 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

Remove the Group Policy configuration before installing the update (Recommended) Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Run the following command on affected devices to propagate the policy change: gpupdate /force Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: This updates the BitLocker bindings to use the Windows-selected default PCR profile. A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available.

Remove the Group Policy configuration before installing the update (Recommended) Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Run the following command on affected devices to propagate the policy change: gpupdate /force Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: This updates the BitLocker bindings to use the Windows-selected default PCR profile. A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available.

Remove the Group Policy configuration before installing the update (Recommended) Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Run the following command on affected devices to propagate the policy change: gpupdate /force Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: This updates the BitLocker bindings to use the Windows-selected default PCR profile. A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available.

This issue is addressed in KB5087420.

This issue is addressed in KB5087539.

This issue is addressed in KB5087545.

After installing KB5070884 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

Remove the Group Policy configuration before installing the update (Recommended) Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Run the following command on affected devices to propagate the policy change: gpupdate /force Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: This updates the BitLocker bindings to use the Windows-selected default PCR profile. A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available.

This issue is addressed in KB5087539.

After installing KB5070881 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

Option 1: Remove the Group Policy configuration before installing the update (Recommended) Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Run the following command on affected devices to propagate the policy change: gpupdate /force Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: This updates the BitLocker bindings to use the Windows-selected default PCR profile. Option 2: Apply the Known Issue Rollback (KIR) before installing the update A Known Issue Rollback (KIR) is available for customers who cannot remove the PCR7 group policy before deploying this update. The KIR prevents the automatic switch to the 2023 Boot Manager, avoiding the BitLocker recovery trigger. The KIR should be deployed before installing the update on affected devices. Contact Microsoft's Support for business to obtain this KIR. A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available.

This issue is addressed in KB5083631.

This issue is addressed in KB5083806.

This issue is addressed in KB5089549. After installing KB5089549, devices with this incompatible group policy configuration are prevented from installing the 2023-signed Windows Boot Manager. If your device was impacted, Event ID 1032 will appear in the System event log when installing Windows updates: "The Secure Boot update Boot Manager (2023) was not applied due to a known incompatibility with the current BitLocker configuration." If you receive Event ID 1032, Microsoft strongly recommends removing the Group Policy configuration before installing updates so that you can install the 2023-signed Windows Boot Manager and continue to receive the latest Secure Boot protections. Remove the Group Policy configuration before installing the update (Recommended) Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Run the following command on affected devices to propagate the policy change: gpupdate /force Run the following command to suspend BitLocker (if BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command to resume BitLocker (if BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: This updates the BitLocker bindings to use the Windows-selected default PCR profile. If you do not wish to remove this Group Policy configuration, you can install the new Windows Boot Manager by temporarily suspending BitLocker and installing the Secure Boot update. To do this: Run the following command to suspend BitLocker (if BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command: Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" Restart the device. Once the new Windows Boot Manager is successfully installed, enable BitLocker by running the command: manage-bde -protectors -enable C:

This issue is addressed in KB5087545.

This issue is addressed in out-of-band update KB5091575. Note: If your Windows Server 2022 device is enrolled in hotpatching, you should instead install the OOB hotpatch update KB5091576. This hotpatch OOB update is released through Windows Update and does not require the device to restart.

This issue is addressed in out-of-band update KB5091157. Note: If your Windows Server 2025 device is enrolled in hotpatching, you should instead install the OOB hotpatch update KB5091470. This hotpatch OOB update is released through Windows Update and does not require the device to restart.

This issue is addressed in out-of-band update KB5091157. Note: Hotpatch-enrolled Windows Server 2025 devices affected by this issue can install out-of-band update KB5091157 to receive the same protections as the April security update (KB5082063). However, installing KB5091157 requires a restart and pauses hotpatching. Hotpatch updates will resume after the July 2026 baseline update.

This issue is addressed in out-of-band update KB5091571.

After installing KB5070881 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070879 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070884 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

This issue is addressed in KB5089549. After installing KB5089549, devices with this incompatible group policy configuration are prevented from installing the 2023-signed Windows Boot Manager. If your device was impacted, Event ID 1032 will appear in the System event log when installing Windows updates: "The Secure Boot update Boot Manager (2023) was not applied due to a known incompatibility with the current BitLocker configuration." If you receive Event ID 1032, Microsoft strongly recommends removing the Group Policy configuration before installing updates so that you can install the 2023-signed Windows Boot Manager and continue to receive the latest Secure Boot protections. Remove the Group Policy configuration before installing the update (Recommended) Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Run the following command on affected devices to propagate the policy change: gpupdate /force Run the following command to suspend BitLocker (if BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command to resume BitLocker (if BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: This updates the BitLocker bindings to use the Windows-selected default PCR profile. If you do not wish to remove this Group Policy configuration, you can install the new Windows Boot Manager by temporarily suspending BitLocker and installing the Secure Boot update. To do this: Run the following command to suspend BitLocker (if BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command: Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" Restart the device. Once the new Windows Boot Manager is successfully installed, enable BitLocker by running the command: manage-bde -protectors -enable C:

Option 1: Remove the Group Policy configuration before installing the update (Recommended) Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Run the following command on affected devices to propagate the policy change: gpupdate /force Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: This updates the BitLocker bindings to use the Windows-selected default PCR profile. Option 2: Apply the Known Issue Rollback (KIR) before installing the update A Known Issue Rollback (KIR) is available for customers who cannot remove the PCR7 group policy before deploying this update. The KIR prevents the automatic switch to the 2023 Boot Manager, avoiding the BitLocker recovery trigger. The KIR should be deployed before installing the update on affected devices. Contact Microsoft’s Support for business to obtain this KIR. Next steps A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available.

Remove the Group Policy configuration before installing the update (Recommended) Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Run the following command on affected devices to propagate the policy change: gpupdate /force Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: This updates the BitLocker bindings to use the Windows-selected default PCR profile. A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available.

Remove the Group Policy configuration before installing the update (Recommended) Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Run the following command on affected devices to propagate the policy change: gpupdate /force Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: This updates the BitLocker bindings to use the Windows-selected default PCR profile. A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available.

Remove the Group Policy configuration before installing the update (Recommended) Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Run the following command on affected devices to propagate the policy change: gpupdate /force Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: This updates the BitLocker bindings to use the Windows-selected default PCR profile. A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available.

Open the Command Prompt (cmd.exe) console. To do this, you can click Start, type cmd in the Search box, and then select cmd from the results. In the Command Prompt window, type powershell.exe and then press Enter. This opens a PowerShell console where this issue does not occur.

After installing KB5070881 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070879 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070884 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

Open the Command Prompt (cmd.exe) console. To do this, you can click Start, type "cmd" in the Search box, and then select cmd from the results. In the Command Prompt window, type powershell.exe and then press Enter. This opens a PowerShell console where this issue does not occur.

After installing KB5070881 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070879 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070884 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070881 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070879 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

This issue is fully resolved in Windows updates released on February 10, 2026 (KB5075941), and in all updates released after that date. The update fixes the problem for devices that use Secure Launch and for devices Virtual Secure Mode (VSM) enabled. An earlier fix that helped some Secure Launch devices was first released through the Microsoft Update Catalog in an OOB update on January 17, 2026 (KB5077797), and later through Windows Update in another out‑of‑band update on January 24, 2026 (KB5078132).

This issue is addressed in KB5074105.

This issue will be addressed in a future Windows update. Additional information will be shared as soon as it becomes available.

This issue is addressed in KB5078132.

This issue is addressed in KB5078135.

This issue is addressed in KB5078133.

After installing KB5070879 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

This issue is addressed in KB5078127.

This issue is addressed in KB5074105.

After installing KB5070884 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

Open the Command Prompt (cmd.exe) console. To do this, you can click Start, type "cmd" in the Search box, and then select cmd from the results. In the Command Prompt window, type powershell.exe and then press Enter. This opens a PowerShell console where this issue does not occur.

This issue is addressed in KB5075904.

This issue is addressed in KB5075912.

This issue is addressed in KB5078136.

This issue will be addressed in a future Windows update. Additional information will be shared as soon as it becomes available.

This issue is addressed in KB5078129.

This issue will be addressed in a future Windows update. Additional information will be shared as soon as it becomes available.

This issue is addressed in KB5078131.

This issue is addressed in KB5078127.

This issue is addressed in KB5078132.

This issue is addressed in KB5078133.

If you are experiencing this issue, please contact the application developer for possible alternative methods of accessing the files. For Outlook-specific scenarios, moving the PST files out of OneDrive should resolve the issue. For guidance, please see documentation at How to remove an Outlook .pst data file from OneDrive. In addition, email accounts can still be accessed via webmail, if supported by your email provider.

This issue will be addressed in a future Windows update. Additional information will be shared as soon as it becomes available.

This issue is addressed in KB5078129

This issue will be addressed in a future Windows update. Additional information will be shared as soon as it becomes available.

This issue is addressed in KB5078131.

This issue is addressed in KB5078136.

After installing KB5070881 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070879 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070884 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

This issue is addressed in KB5077744.

This issue is addressed in KB5077797.

This issue is addressed in KB5077797.

This issue is resolved in Windows updates released on and after January 17, 2026 (such as KB5077796). We recommend you install the latest Windows update for your device as it contains important improvements and issue resolutions, including this one.

This issue is resolved in Windows updates released on and after January 17, 2026 (such as KB5077795). We recommend you install the latest Windows update for your device as it contains important improvements and issue resolutions, including this one.

This issue is addressed in KB5077793.

This issue is addressed in KB5077792.

This issue is addressed in KB5077800.

To resolve this issue manually, apply the out-of-band updates for the version of .NET Framework used by the app.

This issue is resolved in KB5010794.

This issue is resolved in KB5010794.

Do one of the following: Perform the operation from a process that has administrator privilege. Perform the operation from a node that doesn’t have CSV ownership. Microsoft is working on a resolution and will provide an update in an upcoming release.

After installing KB5070884 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070879 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

After installing KB5070881 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.

This issue is mitigated using Known Issue Rollback (KIR). For enterprise-managed devices managed by IT departments that have installed the affected update and encountered this issue, IT administrators can resolve it by installing and configuring the Group policy.