Microsoft has confirmed that the December 2025 security updates are causing problems with Message Queuing (MSMQ). Business applications and IIS websites are experiencing malfunctions after installing the patches.
The known issue affects Windows 10 22H2, Windows Server 2019, and Windows Server 2016 systems on which updates KB5071546, KB5071544, and KB5071543 have been installed. These patches were released during this month’s Patch Tuesday.
Users are reporting various symptoms: MSMQ queues remain inactive, IIS sites fail with “insufficient resources” messages, and applications can no longer write messages to queues. Some systems display misleading error messages about insufficient disk space or memory, even though sufficient resources are available.
Security model modified
According to Microsoft, the cause lies in changes to the MSMQ security model. The updates have modified the permissions on the system folder C:WindowsSystem32msmqstorage. MSMQ users now need write access to this folder, which is normally restricted to administrators.
Attempts to send messages via MSMQ APIs may now fail with resource error messages. Clustered MSMQ environments under load are also experiencing problems.
Systems where users are logged in with full admin rights do not experience the problem. However, for many enterprise environments, this is not a workable solution due to security best practices.
MSMQ crucial in enterprise
The MSMQ service is available as an optional component on all Windows operating systems. Nevertheless, it is frequently used in corporate environments for network communication between applications. The service provides asynchronous messaging, which is essential for many line-of-business applications and IIS-based web applications.
Microsoft is investigating the issue but has not yet provided a timeline for a solution. It is also unclear whether the company will release an emergency update or wait until the next Patch Tuesday. Administrators facing the issue may consider rolling back the updates. However, this comes with its own security risks.
In April 2023, Microsoft warned IT administrators about a critical vulnerability in MSMQ (CVE-2023-21554) that exposed hundreds of systems to remote code execution attacks. The balance between security and functionality remains a challenge.