Event Viewer Archives

Winsage

March 17, 2026

Microsoft to Block Windows 11 and Server 2025 Automated Installation After Critical RCE Vulnerability

Microsoft is implementing a two-phase initiative to disable the hands-free deployment feature in Windows Deployment Services (WDS) due to a critical remote code execution vulnerability (CVE-2026-0386) identified on January 13, 2026. This vulnerability arises from improper access control related to the Unattend.xml file, which is transmitted over an unauthenticated RPC channel, allowing attackers on the same network segment to exploit it. Successful exploitation could grant SYSTEM-level privileges and compromise OS deployment images. The initiative includes: - Phase 1 (January 13, 2026): The hands-free deployment feature will remain operational but can be disabled. New Event Log alerts and registry key controls will be introduced to enforce secure practices. - Phase 2 (April 2026): The hands-free deployment feature will be completely disabled by default for administrators who have not modified registry settings. Administrators can temporarily re-enable the feature by setting AllowHandsFreeFunctionality = 1, but this is not secure. Recommendations include reviewing WDS configurations, applying security updates, setting registry keys for secure behavior, monitoring Event Viewer for alerts, and considering alternative deployment methods. Microsoft’s KB article 5074952 provides further guidance for impacted organizations.

Winsage

February 28, 2026

Microsoft confirms a wider roll out of Windows 11’s new colourful battery icons on the taskbar

Windows 11 users will see colorful battery icons on the taskbar as Microsoft rolls out updates, including the new Start menu, with the update KB5077241. The vibrant battery icons have been in development for nearly two years, with initial testing starting in late 2024. The rollout began last year but was limited to select PCs. An optional update in February 2026 will further expand the availability of these icons and the updated Start menu. The new battery icon replaces the plain white bar with a green icon when charging, featuring a charging bolt during the process. The icon changes color based on battery levels: it turns orange at 30% and red below 6%. Users can display the battery percentage on the taskbar by enabling it in Settings > System > Power & Battery. Recent improvements to the Windows taskbar include the return of drag-and-drop functionality, the ability to resize the taskbar, and potential options to reposition it. Microsoft is also updating Secure Boot certificates, set to expire in June 2026, and distributing new certificates issued in 2023 to more PCs. A tutorial is available for users to verify the application of these new Secure Boot certificates.

Winsage

January 19, 2026

Windows 11 PCs Fail To Shut Down After Update

Some users of Windows 11 have experienced a problem where their PCs reboot instead of shutting down after the Patch Tuesday security update KB5073455. This issue primarily affects devices with Secure Launch on Windows 11 version 23H2. Microsoft has confirmed this behavior, which disrupts the usual power-off sequence and can drain battery life for laptops and complicate remote management processes. An out-of-band update, KB5077797, has been released to restore normal shutdown and hibernation functionalities for affected systems. Users can check for this update in Windows Update or download it from the Microsoft Update Catalog. To determine if they are affected, users should look for immediate restarts when selecting Shut Down or Hibernate and check if Secure Launch is enabled in System Information.

Winsage

November 17, 2025

Custom Windows Event Viewer log notifications upped my debugging game

Windows Task Scheduler can be configured to monitor system events and send notifications for anomalies, allowing users to proactively address issues before they escalate. Users can set up custom notifications by specifying Event IDs in the Task Scheduler. Common Event IDs for debugging include: - Application crash: Event ID 1000 (Application Error) - Application hang: Event ID 1002 (Application Hang) - Service failure: Event ID 7000 (Service Control Manager) - Service stopped: Event ID 7036 (Service Control Manager) - Disk/I/O issues: Event ID 129 (Disk or NTFS) - Group policy failure: Event ID 1058 (Microsoft-Windows-GroupPolicy) - Driver error: Event ID 7023 (Service Control Manager or Kernel-PnP) - Failed logon: Event ID 4625 (Microsoft-Windows-Security-Auditing) - User account locked out: Event ID 4740 (Microsoft-Windows-Security-Auditing) - Audit log cleared: Event ID 1102 (EventLog) - Unexpected system shutdown: Event ID 41 (Kernel-Power) To set up notifications, users can create a PowerShell script that performs specific actions based on the event type, such as sending an email for critical alerts or displaying on-screen messages for less critical events. This setup enables effective monitoring without the need for third-party applications.

Winsage

October 30, 2025

Windows event logs are still the most powerful diagnostic tool on your PC

Event Viewer is a built-in diagnostic tool in Windows that logs every event occurring on a PC, helping users troubleshoot performance issues. It categorizes logs into Application, System, Security, and Setup sections, allowing users to focus on relevant categories during troubleshooting. Events are classified as Critical, Error, Warning, and Information, with Critical events indicating potential sources of system crashes. Users can filter logs, research Event IDs, and utilize the Details section for deeper insights. Event Viewer can be paired with Reliability Monitor for a visual overview of system stability. Many third-party diagnostic tools also rely on data from Event Viewer, making it a valuable resource for addressing persistent errors.

Winsage

October 24, 2025

Weird Authentication Failures? Could Be That Microsoft Doesn’t Like Duplicate SIDs Anymore

Microsoft has introduced a feature that requires unique Security Identifiers (SIDs) across systems, effective August 29, 2025, impacting users who previously cloned images with duplicate SIDs for Kerberos or NTLM connections. This change has led to SECENO_CREDENTIALS errors in the Event Viewer and other reported issues. Microsoft recommends using the Sysprep tool for fresh machine setups. A workaround exists through a Group Policy setting that allows duplicate SIDs, but users must contact Microsoft support to access it, as it is not available by default. This update marks the third occurrence of authentication errors associated with Microsoft updates.

Winsage

October 23, 2025

Microsoft says Windows update may have caused login problems

Microsoft has acknowledged that recent updates for Windows operating systems, specifically Windows 11 versions 24H2 and 25H2, and Windows Server 2025, may have caused login complications for some users. The problematic updates are KB5064081 (OS Build 26100.5074) released on August 29, 2025, and KB5065426 (OS Build 26100.6584) released on September 9, 2025. These updates can lead to authentication failures related to Kerberos and NTLM protocols, particularly on devices with duplicate Security IDs (SIDs). Symptoms include repeated prompts for credentials, failed access requests, inability to access shared network folders, challenges in establishing Remote Desktop connections, and specific error messages logged in the Event Viewer. The root cause is enhanced security measures that enforce checks on SIDs, which can block authentication handshakes when devices have duplicate SIDs, often due to unsupported cloning methods. There is no automated fix; administrators are advised to rebuild devices with duplicate SIDs using supported cloning methods or to configure a special Group Policy for a temporary workaround.

Winsage

October 23, 2025

Microsoft Confirms Recent Updates Causing Login Issues Across Windows Versions

Microsoft has identified a significant issue affecting users of Windows 11 version 24H2, version 25H2, and Windows Server 2025, where many users experience persistent login failures due to duplicate Security Identifiers (SIDs) after installing updates released on or after August 29, 2025. Reports indicate that after installing the preview update KB5064081 or the cumulative update KB5065426, devices with identical SIDs struggle to complete Kerberos or NTLM authentication, leading to repeated prompts for credentials and common error messages such as "Login attempt failed" and "Your credentials didn’t work." Shared network folders become inaccessible, and Remote Desktop connections fail. The root cause is enhanced security checks enforcing SID uniqueness, which block authentication handshakes when duplicate SIDs are detected. Duplicate SIDs typically occur when administrators clone Windows installations without using Sysprep, which is necessary to assign unique SIDs. Microsoft recommends rebuilding devices with duplicate SIDs using supported methods and running Sysprep prior to capturing images for deployment. As a temporary measure, administrators can install a specific Group Policy provided by Microsoft Support for Business.

Winsage

October 22, 2025

Microsoft Confirms Recent Updates Cause Login Issues on Windows 11 24H2, 25H2, and Windows Server 2025

Microsoft has identified an authentication issue affecting users of Windows 11 versions 24H2 and 25H2, as well as Windows Server 2025, due to updates rolled out since late August 2025. These updates have caused failures in Kerberos and NTLM protocols on devices with identical Security Identifiers (SIDs), leading to widespread login disruptions in enterprise networks. Users have reported repeated credential prompts, error messages, and compromised network access, including issues with Remote Desktop Protocol (RDP) sessions and Failover Clustering operations. Event Viewer logs indicate machine ID mismatches and potential session discrepancies. The problem is particularly severe in virtual desktop infrastructure (VDI) environments where multiple machines share SIDs. Microsoft has emphasized the importance of using the Sysprep tool to ensure unique SIDs during cloning, as the recent updates now strictly verify SIDs during authentication. IT administrators can temporarily alleviate the authentication blocks with a specialized Group Policy, but a permanent solution involves rebuilding devices using approved cloning procedures. As of October 21, 2025, no broader patch has been released.

Winsage

October 22, 2025

Microsoft: Recent Windows updates cause login issues on some PCs

Microsoft has acknowledged a significant issue affecting Windows systems following updates released since August 29, 2025, which are causing authentication failures on devices with duplicate Security Identifiers (SIDs). SIDs are unique alphanumeric strings used by Windows to manage user and computer accounts. The updates enforce checks on SIDs, leading to authentication failures, particularly impacting Windows 11 24H2, Windows 11 25H2, and Windows Server 2025. Users may experience failed remote desktop connections, "Access denied" errors, and failed login attempts despite valid credentials, along with SECENO_CREDENTIALS errors in the Event Viewer. Duplicate SIDs often arise from cloning Windows installations without proper preparation using the Sysprep tool. Microsoft recommends rebuilding systems with duplicate SIDs using supported methods and offers a temporary workaround through a specific Group Policy.