Update, December 19: Microsoft has released an out-of-band (OOB) update to address the Message Queuing errors outlined below. This update, designated as KB5074976, is exclusively available through the Update Catalog.
Original article, December 15:
Microsoft has acknowledged that the security updates rolled out in December 2025 are leading to complications with Message Queuing (MSMQ). Business applications and IIS websites are encountering operational disruptions following the installation of these patches.
The issue is particularly prevalent among systems running Windows 10 22H2, Windows Server 2019, and Windows Server 2016, which have received updates KB5071546, KB5071544, and KB5071543 during this month’s Patch Tuesday.
Users have reported a range of symptoms, including:
- Inactive MSMQ queues
- IIS sites generating “insufficient resources” error messages
- Applications unable to write messages to queues
Some systems are even displaying misleading notifications about inadequate disk space or memory, despite having ample resources available.
Security model modified
Microsoft attributes these issues to modifications in the MSMQ security model. The recent updates have altered the permissions associated with the system folder C:WindowsSystem32msmqstorage. As a result, MSMQ users now require write access to this folder, a privilege typically reserved for administrators.
Consequently, attempts to send messages via MSMQ APIs may fail, generating resource-related error messages. Additionally, clustered MSMQ environments under heavy load are facing similar challenges.
Interestingly, systems where users possess full administrative rights do not exhibit these problems. However, this workaround is often impractical for many enterprise settings due to established security protocols.
MSMQ crucial in enterprise
The MSMQ service, while optional on all Windows operating systems, plays a vital role in corporate environments, facilitating network communication between applications. Its asynchronous messaging capabilities are essential for numerous line-of-business applications and IIS-based web services.
Microsoft is currently investigating the matter but has yet to provide a timeline for a resolution. It remains uncertain whether the company will issue an emergency update or defer until the next scheduled Patch Tuesday. Administrators grappling with these issues might contemplate rolling back the updates, although such action carries its own security implications.
In April 2023, Microsoft alerted IT administrators to a critical vulnerability in MSMQ (CVE-2023-21554), which posed risks of remote code execution attacks for numerous systems. The ongoing challenge of balancing security with functionality continues to be a pressing concern for organizations.
