Microsoft has acknowledged ongoing issues stemming from the December 2025 security updates, particularly affecting Message Queuing (MSMQ) functionality. Businesses relying on various applications and IIS websites have reported significant malfunctions following the installation of these patches.
The complications are specifically linked to Windows 10 22H2, Windows Server 2019, and Windows Server 2016 systems that have received updates KB5071546, KB5071544, and KB5071543, released during this month’s Patch Tuesday. Users have encountered a range of symptoms, including:
- Inactive MSMQ queues
- IIS sites displaying “insufficient resources” error messages
- Applications unable to write messages to queues
Some systems have even presented misleading error notifications regarding insufficient disk space or memory, despite having adequate resources available.
Security model modified
Microsoft attributes these issues to modifications in the MSMQ security model. The recent updates have altered permissions for the system folder C:WindowsSystem32msmqstorage, now requiring MSMQ users to have write access to this folder, a privilege typically reserved for administrators.
As a result, attempts to send messages through MSMQ APIs may yield resource error messages, particularly in clustered MSMQ environments under load. Interestingly, systems where users hold full administrative rights do not exhibit these problems. However, this workaround is impractical for many enterprise settings that adhere to stringent security protocols.
MSMQ crucial in enterprise
Although the MSMQ service is an optional component across all Windows operating systems, it plays a vital role in corporate environments, facilitating network communication between applications. Its asynchronous messaging capabilities are indispensable for numerous line-of-business applications and IIS-based web services.
Currently, Microsoft is investigating the matter but has yet to provide a timeline for a resolution. It remains uncertain whether the company will issue an emergency update or defer any fixes until the next Patch Tuesday. Administrators grappling with these issues may contemplate rolling back the updates, though this decision carries its own set of security implications.
In April 2023, Microsoft had previously alerted IT administrators to a critical vulnerability in MSMQ (CVE-2023-21554), which posed a risk of remote code execution attacks on numerous systems. This ongoing dilemma highlights the delicate balance between maintaining security and ensuring functionality within enterprise environments.
