Group Policy Archives

Winsage

May 4, 2026

Microsoft Confirms Critical Windows Update Error Disrupting Global Systems

Microsoft has confirmed a critical bug in its latest cumulative update, affecting millions of Windows 10 and Windows 11 users. The issue leads to a "Restart and Shut Down" loop, preventing users from completing the update and locking them out of their devices. This disruption is particularly severe for corporate IT departments, with reports of entire office networks being paralyzed. The problematic update, identified as KB5037853, was meant to address security vulnerabilities but has caused systems to display an endless "Update and Restart" message. Some users experience a "Blue Screen of Death" (BSOD) and may be forced into "Recovery Mode." Microsoft is working on a "Known Issue Rollback" (KIR) to automatically undo the problematic code for consumer machines, while enterprise users may require manual intervention. The downtime is projected to result in significant financial losses, with large enterprises potentially losing up to ,600 per minute of unplanned downtime. Affected versions include Windows 11 22H2, 23H2, and Windows 10 22H2. Symptoms include failure to shut down, BSOD on boot, and missing Start menu icons. The estimated downtime ranges from 4 to 12 hours, depending on IT response speed. Critics have raised concerns about Microsoft's development process, suggesting it places users in the role of beta testers.

Winsage

May 1, 2026

Windows 11 KB5083631 update released with 34 changes and fixes

Microsoft has released the KB5083631 optional cumulative update for Windows 11, featuring 34 enhancements aimed at improving user experience and system performance. Key features include a new Xbox mode for immersive gaming, improved performance for startup applications, enhanced security for batch files and CMD scripts, haptic feedback on supported devices, improvements to Secure Boot, and updates to Kerberos authentication. The update also addresses issues with Windows Security event logging, eliminates a white flash in dark mode, and increases the reliability of explorer.exe processes. Users can install the update via Windows Settings under Windows Update. After installation, Windows 11 devices will be updated to builds 26100.8328 and 26200.8328. Additionally, updated Secure Boot certificates are being rolled out, and some Windows Server 2025 devices may require a BitLocker recovery key after the update.

Winsage

May 1, 2026

Microsoft now lets admins choose pre-installed Store apps to uninstall

Microsoft has updated its Windows 11 operating system to enhance the management of preinstalled applications. The new RemoveDefaultMicrosoftStorePackages policy allows IT administrators to remove any preinstalled MSIX/APPX applications by referencing their Package Family Name (PFN) through Group Policy Object (GPO) or custom OMA-URI for mobile device management (MDM). This feature requires devices to have at least the April 2026 Windows non-security update. It is available for Windows 11 version 24H2 Enterprise and Education editions, whereas it was initially exclusive to version 25H2 or later. A comprehensive list of supported applications and instructions for applying the policy are provided in Microsoft's documentation. Additionally, a new policy setting enables the uninstallation of the AI-powered Copilot digital assistant from enterprise devices after the April 2026 Patch Tuesday updates. The dynamic list option for this policy will be rolled out in the coming months.

Winsage

April 28, 2026

Microsoft Releases Enterprise Policy Option to Disable Windows 11 Copilot

Microsoft has introduced a new enterprise policy setting that allows IT administrators to silently uninstall the Microsoft Copilot app from managed Windows 11 devices. The RemoveMicrosoftCopilotApp policy became available after the April 2026 Patch Tuesday security updates and is compatible with enterprise management solutions like Microsoft Intune and System Center Configuration Manager (SCCM). Administrators can find the policy in the Group Policy Editor under User Configuration > Administrative Templates > Windows AI > Remove Microsoft Copilot App. It specifically targets Windows 11 Pro, Enterprise, and Education SKUs, excluding Home edition users. The uninstallation process is triggered when three conditions are met: Microsoft 365 Copilot is installed on the device, it was provisioned (not user-installed), and it has not been launched by the user in the last 28 days. The policy was initially available for Windows Insiders in January 2026 and became generally accessible afterward. However, future updates or user reinstalls from the Microsoft Store may reintroduce the Copilot app, necessitating ongoing policy enforcement for permanent removal. Organizations seeking broader exclusion may need to use PowerShell scripts or additional MDM configurations.

Winsage

April 27, 2026

Microsoft Adds Policy to Let IT Admins Uninstall Copilot From Enterprise Windows 11 Devices

Microsoft has introduced a policy allowing IT administrators to remove the Microsoft Copilot app from managed enterprise devices. This "Remove Microsoft Copilot App" policy will be available as a Policy CSP and Group Policy after the April 2026 Windows security updates for Windows 11 devices on the 25H2 update, specifically for Enterprise, Professional, and Education editions. The policy will uninstall Copilot under certain conditions: both Microsoft 365 Copilot and Microsoft Copilot must be installed, the user must not have manually installed the app, and the app must not have been launched in the past 28 days. Administrators can enable the policy through the Group Policy Editor or configure it via Microsoft Intune and SCCM after the April 2026 updates. The policy aligns with Microsoft's recent changes in managing Copilot, including the cessation of automatic installations and the cancellation of plans to integrate Copilot into system notifications and other features. The policy was initially available to Windows Insiders in January before becoming generally accessible in April 2026.

Winsage

April 27, 2026

Windows 11 KB5083769: The April Update may require the recovery key on certain BitLocker-enabled systems

The April update KB5083769 for Windows 11 versions 24H2 and 25H2, released on April 14, 2026, has a known issue where certain devices may enter BitLocker recovery mode after installation. This problem affects a limited subset of devices with specific, non-recommended BitLocker Group Policy settings. The issue arises when BitLocker is activated, a specific TPM platform validation policy is set to include PCR7, PCR7 binding is not feasible, the Windows UEFI CA 2023 certificate is present, and the device is not using the 2023-signed Windows Boot Manager. Microsoft advises organizations to review their BitLocker Group Policy settings and verify PCR7 binding status before deploying the update to prevent devices from requesting recovery keys. If the recovery prompt appears, users will need to enter the BitLocker recovery key, but subsequent reboots should not trigger the recovery process again if the Group Policy remains unchanged.

Winsage

April 26, 2026

Go straight to sell! Windows second-chance setup hawks Microsoft services at IT’s expense

Months after acquiring a laptop, users may encounter a prompt from Windows 11 stating, “You’re almost done setting up your PC.” This leads to a series of inquiries about adopting Microsoft’s recommended browser settings, linking a phone for SMS notifications, and acknowledging Office installation. Users may feel compelled to click through these prompts, which can include advertisements, such as for Xbox Game Pass Premium at .99 per month. This series of prompts is referred to as the Second Chance Out of Box Experience (SCOOBE), which can resurface due to Windows updates and may lead to unnecessary support calls and potential unauthorized subscriptions in organizational settings. Users can disable SCOOBE by adjusting settings in Windows or Group Policy, but ongoing vigilance is required due to the evolving nature of Microsoft’s software.

Winsage

April 25, 2026

New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions

PhantomRPC is a significant architectural vulnerability in the Windows Remote Procedure Call (RPC) framework that allows local privilege escalation to SYSTEM-level access across all Windows versions. Discovered by Kaspersky's Haidar Kabibo at Black Hat Asia 2026, this vulnerability stems from the RPC runtime's failure to verify the legitimacy of a responding server during calls to offline or disabled servers. Attackers can exploit this by setting up a malicious RPC server that impersonates a legitimate endpoint, using the RpcImpersonateClient API to escalate privileges from low-privileged accounts to SYSTEM or Administrator levels. Five distinct exploitation paths have been identified: 1. gpupdate.exe coercion: An attacker can intercept an RPC call made by the Group Policy Client service when executing gpupdate /force, granting SYSTEM-level access if TermService is disabled. 2. Microsoft Edge startup: Launching msedge.exe triggers an RPC call to TermService, allowing privilege escalation from Network Service to Administrator via a spoofed endpoint. 3. WDI background service: The Diagnostic System Host polls TermService regularly, enabling an attacker to exploit this without user interaction. 4. ipconfig.exe and DHCP Client: Running ipconfig.exe initiates an RPC call to the DHCP Client service, allowing a Local Service attacker to elevate privileges if DHCP is disabled and a fake server is present. 5. w32tm.exe and Windows Time: An attacker can expose a named pipe endpoint, allowing them to impersonate any privileged user executing the Windows Time executable. The vulnerability was reported to Microsoft on September 19, 2025, but Microsoft categorized it as moderate severity and closed the case without a patch, as the attack requires SeImpersonatePrivilege, which is granted by default to certain accounts. Organizations are advised to implement defensive measures such as enabling RPC monitoring, ensuring legitimate services are running, and restricting SeImpersonatePrivilege. Kaspersky has provided tools for auditing environments for exploitable RPC call patterns through the PhantomRPC GitHub repository.

Winsage

April 24, 2026

Microsoft Throws IT Admins a Bone With Ability to Remove Copilot From Windows

Microsoft is adjusting its rollout strategy for Copilot AI in Windows 11 in response to user concerns by slowing down the introduction and visibility of AI features. IT administrators can now completely remove Copilot from their systems with the new setting called RemoveMicrosoftCopilotApp, introduced in Windows 11, version 25H2 (KB5083769). This feature allows for non-disruptive uninstallation of Copilot for organizations using Pro, Enterprise, Education, or IoT Enterprise editions. Specific criteria must be met for effective removal: both Microsoft 365 Copilot and Microsoft Copilot must be installed, the app should not have been installed by the user, and it must not have been launched in the past 28 days. The change is reversible, allowing for reinstallation if needed.

Winsage

April 21, 2026

Microsoft releases Windows Server update fix to fix its April update fixes

Microsoft has released an out-of-band update to fix a restart loop issue affecting certain Windows Server devices after the April 2026 update. The problem arose after installing the April 2026 Windows security update (KB5082063), causing domain controllers in multi-domain environments using Privileged Access Management (PAM) to experience LSASS crashes during startup, leading to repeated restarts and potential domain outages. The update targets Windows Server versions 2016 through 2025 and includes hotpatches for failed installations. Only Windows Servers were affected, while some enterprise devices may need to enter their BitLocker recovery key after the first restart post-installation. Microsoft has issued similar updates recently, raising concerns about the frequency of these occurrences.