MSMQ / IIS – Access issues with C:\Windows\System32\msmq after December Update (Windows Server 2019)

Question

MSMQ / IIS – Access issues with C:\Windows\System32\msmq after December Update (Windows Server 2019)

Mario Kriegsmann 70

Description:
Since installing KB5071544 (December 2025 Update), IIS applications (IIS_IUSRS) as well as services running under LocalService / NetworkService can no longer write to the folder C:\Windows\System32\msmq. As a result, MSMQ-based applications fail. Everything worked flawlessly before the update. Rolling back the update immediately resolves the issue.

Analysis: The NTFS security descriptor of the MSMQ folder is modified by the December update.

SDDL comparison:

Unpatched: D:P(...)

Patched: D:PAI(...)

The additional AI flag (Auto-Inherited) indicates that the update is regenerating or altering the DACL. The Windows GUI does not display this difference, but functionally the services lose the access rights they previously had.

Impact:

Applications running under IIS_IUSRS / LocalService / NetworkService can no longer write to MSMQ.

Services must be changed to LocalSystem or given manual NTFS permissions → unacceptable from a security perspective, and it appears that permissions we set manually under C:\Windows\System32\msmq are not persistent and get automatically reverted to defaults.
The issue is reproducible on multiple systems, and similar reports are appearing on Reddit.
See: https://www.reddit.com/r/sysadmin/comments/1phyxbt/comment/ntanh4l/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

Request to Microsoft:

Confirmation whether the December update modifies MSMQ ACLs / security descriptors
Clarification whether this behavior is intentional or a bug
A fix or guidance on how to restore the original permissions

Danny Nguyen (WICLOUD CORPORATION) 5,430 Reputation points Microsoft External Staff Moderator

2025-12-12T10:53:22.31+00:00

Hi @Mario Kriegsmann, I have received this report. It might take some time to investigate this problem. I will reach out to you as soon as I can when there's any update. Thank you for posting.

2 answers

Your answer

Danny Nguyen (WICLOUD CORPORATION) 5,430 Reputation points Microsoft External Staff Moderator

2025-12-12T10:53:22.31+00:00

Hi @Mario Kriegsmann, I have received this report. It might take some time to investigate this problem. I will reach out to you as soon as I can when there's any update. Thank you for posting.

Answer 1

Hi there,

Good news - this issue has now been officially acknowledged by Microsoft! You can track it here: https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22h2#message-queuing--msmq--might-fail-with-the-december-2025-windows-security-update

Microsoft has confirmed that the December 2025 security update (KB5071546) introduced changes to the MSMQ security model and NTFS permissions on the C:\Windows\System32\MSMQ\storage folder. MSMQ users now require write access to this folder, which is normally restricted to administrators. This is what's causing the "Insufficient resources to perform operation" errors you're experiencing.

The symptoms match what you're seeing:

MSMQ queues becoming inactive
IIS sites failing with resource errors
Applications unable to write to queues
Message file creation failures
Misleading logs about insufficient disk space/memory

Current Status:

Microsoft is actively investigating this issue.

Temporary Solutions:

Uninstall KB5071546 - Rolling back this security update will temporarily fix the problem while you wait for an official patch
Alternatively, you may need to adjust permissions on the C:\Windows\System32\MSMQ\storage folder, but please consult with your security team before making system-level permission changes

I'll do my best to keep you updated as Microsoft releases more information or a fix for this issue.

EntraID Staff Support 35 Reputation points

2025-12-15T16:05:25.4866667+00:00

Bad news—hopefully just a Microsoft oversight in the words provided on that specific post, but as confirmed with a major system on my side and as reported originally in this post Windows Server 2016 and KB5071543 also causes this problem.

Uninstalled KB5071543 from Windows Server 2016 and then rebooting it fixes the problem as confirmed on my side. The support vendor of the software on that system on my side is aware of the issue and they should be working on a solution or following up with Microsoft to ensure you are aware at that level as well.

I just wanted to point out that that updated Known Issues post doesn't seem to list Windows Server 2016 or KB5071543 from what I saw when I looked it over a few minutes ago—hopefully MS is working on the fix for that OS too seems it's not EOL or support life.

Answer 2

After KB5071543 / KB5071544, we're seeing the following error when sending multicast messages via System.Messaging API from an IIS Web App.

System.Messaging.MessageQueueException: Insufficient resources to perform operation.

On Windows Server 2019, if we rollback KB5071544 things work again.

On Windows Server 2016, if we rollback KB5071543 things work again.

System.Messaging.MessageQueueException: Insufficient resources to perform operation. at System.Messaging.MessageQueue.SendInternal(Object obj, MessageQueueTransaction internalTransaction, MessageQueueTransactionType transactionType) at CompAnalytics.Extension.Msmq.AlertContextExtension.SendAlert(String alertName, String alertTitle, Uri alertLink, String msgBody, IList`1 extensionObjects, String priority) in C:\agent_work\7\s\Product\CompAnalytics.Extension.Msmq\AlertContextExtension.cs:line 95 at CompAnalytics.Extension.Msmq.AlertSender.Execute(IExecutionContext context) in C:\agent_work\7\s\Product\CompAnalytics.Extension.Msmq\AlertSender.cs:line 63 at CompAnalytics.Execution.ExecutionContext.ExecuteModuleOrSurrogate(ModuleExecutor executor, Module module) in C:\agent_work\7\s\Product\CompAnalytics.Execution\ExecutionContext.cs:line 1207 at CompAnalytics.Execution.ExecutionContext.ExecuteOrRestoreModule(ModuleExecutor executor, Module module, Int32 currentRetryCount) in C:\agent_work\7\s\Product\CompAnalytics.Execution\ExecutionContext.cs:line 1185 at CompAnalytics.Execution.ExecutionContext.ExecuteModuleWithRetry(ModuleExecutor executor, Module module) in C:\agent_work\7\s\Product\CompAnalytics.Execution\ExecutionContext.cs:line 1150 at CompAnalytics.Execution.ExecutionContext.ExecuteModule(ModuleExecutor executor, Module module, ExecutionCallback postExecutionCallback) in C:\agent_work\7\s\Product\CompAnalytics.Execution\ExecutionContext.cs:line 992

EntraID Staff Support 35 Reputation points

2025-12-15T16:11:34.4133333+00:00

I'm not seeing MS posted about a fix coming for KB5071543 and WIndows Server 2016 and the permissions also being broke for that OS in the latest Known Issues link that was provided here. I assume this means they ignored your detail and they assume Windows Server 2016 is not impacted, or they have nopt tested that OS thoroughly to confirm themselves. Not sure if another post needs opened, or more comments are needed to get it some attention too. Hopefully they know this already, are working on a fix, and just have not stated it explicitly.

Share via

MSMQ / IIS – Access issues with C:\Windows\System32\msmq after December Update (Windows Server 2019)

2 answers

Your answer