system administrators Archives

Winsage

May 8, 2026

Windows 11 Clients: The Group Policy Editors gpedit.msc and GPMC are broken

The Group Policy Editors gpedit.msc and gpmc from the RSAT tools are experiencing functionality issues in Windows 11 due to a bug that causes an overflow error, resulting in incorrect configurations being saved. This issue was first reported by Mark Heitbrink to Microsoft in March 2026, but he has not received feedback. The bug appears to be unique to Windows 11 clients, as tests on Windows Server did not show the problem. Mark documented the bug with submission number VULN-180447 and case number 111952. He described how to reproduce the issue involving the group policy "Delay Foreground download from http" and the decimal value "4294967295," which gets altered to "2147483647" on Windows 11. Mark speculated that the issue might be due to the Windows client using the INT data type instead of unsigned INT, leading to an overflow. He noted that over 50 policies are affected by this MaxValue issue across various components.

Winsage

May 5, 2026

All new features arriving in the Windows 11 May 2026 update

Microsoft will release the Windows 11 May 2026 update on May 12, 2026, as part of its regular Patch Tuesday rollout. Key features include: 1. Enhanced File Explorer with improved launch speed and persistent View/Sort preferences. 2. Haptic feedback integration for compatible input devices. 3. Xbox mode for an improved gaming experience, available to all users later this month. 4. Transformation of the Drag Tray to Drop Tray with settings relocated for easier file sharing. 5. Introduction of the Arabic 101 Legacy keyboard layout. 6. New AI agent support on the taskbar for app previews. 7. Ability to format FAT32 drives up to 2TB. 8. Updated Windows Driver policy requiring drivers to be signed through the Windows Hardware Compatibility Program. 9. Improvements to Voice Typing, allowing activation via the Voice Typing key. 10. Security changes restricting certain CMD scripts that could manipulate system files. 11. Updated Group Policy for removing default Microsoft Store packages with a dynamic list for customization.

Winsage

April 21, 2026

Microsoft releases Windows Server update fix to fix its April update fixes

Microsoft has released an out-of-band update to fix a restart loop issue affecting certain Windows Server devices after the April 2026 update. The problem arose after installing the April 2026 Windows security update (KB5082063), causing domain controllers in multi-domain environments using Privileged Access Management (PAM) to experience LSASS crashes during startup, leading to repeated restarts and potential domain outages. The update targets Windows Server versions 2016 through 2025 and includes hotpatches for failed installations. Only Windows Servers were affected, while some enterprise devices may need to enter their BitLocker recovery key after the first restart post-installation. Microsoft has issued similar updates recently, raising concerns about the frequency of these occurrences.

Winsage

April 20, 2026

Microsoft releases emergency updates to fix Windows Server issues

Microsoft has confirmed that some administrators are experiencing difficulties installing the KB5082063 security update on Windows Server 2025. This month's Patch Tuesday updates have caused certain Windows servers, especially those with domain controller roles, to enter a restart loop due to failures in the Local Security Authority Subsystem Service (LSASS). Microsoft has released emergency out-of-band updates, including KB5091157 for Windows Server 2025, to address both the installation failure and the restart issues. Additionally, some Windows Server 2025 devices may boot into BitLocker recovery mode after installing the KB5082063 update. A bug affecting Windows Server 2019 and Windows Server 2022 that caused unexpected upgrades to Windows Server 2025 has also been resolved. Microsoft has issued various emergency updates throughout the year to address other issues, including a Bluetooth device visibility bug and vulnerabilities in the Routing and Remote Access Service (RRAS).

Tech Optimizer

April 19, 2026

This legit-looking software is actually antivirus-killing adware

Security researchers at Huntress discovered adware signed by Dragon Boss Solutions LLC, which was designed to deliver unwanted advertisements and disrupt user experience. The software had a sophisticated update mechanism that disabled antivirus programs and prevented their reactivation. Huntress found that the primary update domain and its fallback had not been registered, creating a vulnerability that could have allowed malicious actors to take control of the compromised network. In response, Huntress acquired the domains to prevent further exploitation, observing tens of thousands of compromised endpoints attempting to connect. They identified 324 infected devices in high-value sectors, including 221 academic institutions, 41 Operational Technology networks, 35 municipal governments and public utilities, 24 educational institutions, and 3 healthcare organizations. Additionally, networks of multiple Fortune 500 companies were also compromised. Researchers advised monitoring for specific WMI event subscriptions and processes associated with Dragon Boss Solutions LLC to mitigate risks.

Winsage

April 18, 2026

Microsoft closes book on rogue Windows Server 2025 upgrades

Microsoft has officially resolved the incident involving the unexpected upgrade to Windows Server 2025, which occurred over a year ago and caused significant disruption for system administrators. The upgrade was automatic, with no rollback option, and was attributed to third-party products managing updates. Additionally, Microsoft's cumulative update KB5082063 has introduced new issues, causing LSASS crashes on non-Global Catalog domain controllers in environments using Privileged Access Management, leading to repeated restarts and potential inaccessibility of domains. Microsoft has acknowledged this problem and promised a resolution soon.

Winsage

April 7, 2026

Microsoft has removed the Support and Recovery Assistant from Windows

Microsoft has phased out the Support and Recovery Assistant (SaRA) and replaced it with a command line version of the Get Help service. This new tool retains the core functionalities of SaRA while offering a console interface. The transition aims to unify Microsoft's support offerings and enhance user experience. The revamped Get Help tool continues to diagnose issues related to systems, network services, and Microsoft products, including Office, in a more streamlined manner. The command line approach may present a learning curve for casual users but offers potential benefits for advanced users and system administrators by simplifying support processes and enhancing automation capabilities. Microsoft is moving away from standalone utilities in favor of integrated solutions.

Winsage

March 31, 2026

What Is Conhost.exe?

Conhost.exe, or Console Window Host, is a legitimate Windows system process responsible for managing the display and behavior of console windows such as Command Prompt and PowerShell. It facilitates text rendering and manages input/output interactions with the graphical user interface. Each time a console application is launched, a new instance of conhost.exe is created, and multiple instances can appear in Task Manager based on active console applications. To verify the authenticity of conhost.exe, it should run from C:WindowsSystem32 or C:WindowsSysWOW64, have a valid Microsoft Windows Publisher digital signature, and not make outbound network connections. High CPU usage or unusual behavior may indicate malware masquerading as conhost.exe. Troubleshooting steps for issues related to conhost.exe include running a malware scan, checking for Windows updates, updating device drivers, and using the System File Checker. Disabling conhost.exe is not advisable as it is essential for the functioning of console applications.

Winsage

March 24, 2026

Microsoft quietly announced upcoming WSL upgrades, including a “more streamlined first-time setup and onboarding”

Microsoft has introduced several updates for Windows 11, including a simplified installation process for the Windows Subsystem for Linux (WSL), allowing users to install it with a single command or via the Microsoft Store. Additionally, there are enhancements in interoperability between Windows and Linux file systems, as well as improvements in networking capabilities. WSL provides a genuine Linux kernel and supports GUI applications, facilitating seamless communication with the Windows environment.

Winsage

March 18, 2026

Researchers Reveal ‘RegPwn,’ a Windows Registry Vulnerability That Granted SYSTEM Privileges

A Windows vulnerability named "RegPwn" (CVE-2026-24291) allows low-privileged users to elevate their access to full SYSTEM privileges. Discovered by the MDSec red team, it has been in use since January 2025 and was addressed in a recent Microsoft Patch Tuesday update. The vulnerability exploits the management of Windows accessibility features, which generate a registry key that grants full control to low-privileged users. When a user activates an accessibility tool, the configurations are copied into the local machine registry hive, which remains writable by the logged-in user. This creates an opportunity for manipulation, especially when user-controlled settings interact with the Windows Secure Desktop environment. An attacker can exploit this by modifying their user-level accessibility registry key and using an oplock on a system file, allowing them to replace the local machine registry key with a symbolic link to an arbitrary system registry key. This process operates under SYSTEM privileges, enabling the attacker to write arbitrary values to restricted areas of the Windows registry. MDSec demonstrated this technique to gain access to a SYSTEM-level command prompt. Microsoft has released security updates to address this vulnerability, and MDSec has made the exploit code available on GitHub for research purposes.