Microsoft's December 2025 cumulative update for Windows 10 (KB5071546) has introduced a critical permissions change that breaks Microsoft Message Queuing (MSMQ) functionality across multiple Windows SKUs, leaving message queues inactive and disrupting IIS-hosted applications that rely on this legacy messaging technology. The update, which was intended to enhance security by modifying NTFS access control lists (ACLs), has instead created widespread compatibility issues affecting enterprise systems still dependent on MSMQ for inter-process communication and message queuing services.

The December 2025 Update Security Change

According to Microsoft's official documentation and technical analysis, KB5071546 includes security hardening measures that modify default permissions on the MSMQ storage directory. The update changes the ACLs on the %SystemRoot%\System32\msmq\storage folder, restricting access that MSMQ services require to function properly. This security-focused change was implemented to prevent potential privilege escalation vulnerabilities but has had the unintended consequence of breaking legitimate MSMQ operations.

Technical analysis reveals that the update modifies the inheritance and explicit permissions on the MSMQ storage directory structure. The MSMQ service, which runs under the NETWORK SERVICE account in most configurations, loses necessary read/write permissions to access message files, journal files, and transactional logs. This prevents the service from processing incoming messages, creating new queues, or maintaining existing queue operations.

Symptoms and Impact on Systems

Administrators have reported multiple symptoms following the installation of KB5071546:

  • MSMQ services start but cannot process messages: The MSMQ service may appear to be running normally in Services Manager, but applications receive errors when attempting to send or receive messages
  • Queue inactivity: Existing message queues show no activity, with messages accumulating but not being processed
  • IIS application failures: Web applications hosted on Internet Information Services (IaaS) that utilize MSMQ for messaging experience complete failure of messaging components
  • Event log errors: System event logs show repeated errors from the MSMQ service with codes indicating access denied or permission issues
  • Application-specific failures: Line-of-business applications that depend on MSMQ for asynchronous communication between components cease to function properly

Search results indicate that the issue affects multiple Windows 10 versions, including Enterprise, Pro, and Education editions. The problem appears most severe in environments where MSMQ is integrated with custom applications or legacy systems that haven't been migrated to newer messaging technologies like Azure Service Bus or RabbitMQ.

Microsoft's Official Response and Workarounds

Microsoft has acknowledged the issue in their support documentation and has provided several workarounds while they develop a permanent fix. The company's primary recommendation involves modifying the ACLs on the MSMQ storage directory to restore necessary permissions.

Manual ACL Fix Procedure

Administrators can implement the following manual fix to restore MSMQ functionality:

  1. Stop the MSMQ service: Open Services Manager (services.msc), locate "Message Queuing," and stop the service
  2. Open Command Prompt as Administrator: Right-click Command Prompt and select "Run as administrator"
  3. Navigate to the MSMQ directory: Enter cd /d %SystemRoot%\System32\msmq
  4. Take ownership of the storage directory: Run takeown /f storage /r /d y
  5. Grant full permissions to NETWORK SERVICE: Execute icacls storage /grant "NETWORK SERVICE":(OI)(CI)F /T
  6. Restart the MSMQ service: Return to Services Manager and start the Message Queuing service

This procedure restores the necessary permissions for the MSMQ service to access its storage files while maintaining reasonable security controls. Microsoft notes that this is a temporary workaround and that a more comprehensive fix will be included in a future update.

Alternative: Rollback the Update

For organizations that cannot immediately implement the ACL fix, Microsoft recommends uninstalling KB5071546:

  1. Open Settings > Update & Security > Windows Update > View update history
  2. Click "Uninstall updates"
  3. Locate KB5071546 in the list of installed updates
  4. Select the update and click "Uninstall"
  5. Restart the computer when prompted

Administrators should then pause updates temporarily to prevent automatic reinstallation of the problematic update while awaiting a fixed version.

Community Experiences and Workarounds

Windows administrators and IT professionals have shared their experiences with the MSMQ-breaking update across various forums and technical communities. The consensus is that while Microsoft's ACL fix works, it requires careful implementation in production environments.

One system administrator reported: "We discovered the issue when our order processing system suddenly stopped handling transactions. The MSMQ service was running, but our monitoring showed zero messages being processed. After applying the ACL fix, we had to restart several dependent services, but functionality was restored within an hour."

Another enterprise IT manager noted: "The rollback option wasn't viable for us due to other security fixes in the same update. We implemented the manual ACL modification across 200+ servers using our configuration management tool. The process worked, but it was an unexpected weekend emergency."

Some community members have developed PowerShell scripts to automate the fix across multiple systems:

# PowerShell script to fix MSMQ permissions after KB5071546
Stop-Service -Name MSMQ -Force
$msmqPath = "$env:SystemRoot\System32\msmq\storage"
takeown /f $msmqPath /r /d y
icacls $msmqPath /grant "NETWORK SERVICE":(OI)(CI)F /T
Start-Service -Name MSMQ

Why MSMQ Still Matters in 2025

Despite being a legacy technology originally introduced with Windows NT 4.0, MSMQ continues to play a critical role in many enterprise environments. Search results indicate several reasons for its persistence:

  • Legacy application dependencies: Many line-of-business applications developed in the early 2000s were built with MSMQ integration and have never been updated
  • Reliable messaging: MSMQ provides guaranteed message delivery, transaction support, and journaling that some organizations still require
  • On-premises requirements: Organizations with strict data residency or air-gapped systems cannot migrate to cloud-based messaging solutions
  • Cost considerations: Migrating from MSMQ to alternative solutions requires significant development and testing resources

Microsoft has maintained MSMQ compatibility through multiple Windows versions despite encouraging migration to newer technologies. The December 2025 update represents one of the most significant breaking changes to MSMQ in recent years.

Security Implications of the Fix

Security professionals have raised concerns about the permission changes recommended in Microsoft's workaround. Granting full control (F) permission to the NETWORK SERVICE account on the MSMQ storage directory could potentially introduce security risks if not properly contained.

Best practices for implementing the fix include:

  • Applying principle of least privilege: Instead of granting full control, some organizations are using more specific permissions like "Modify" or custom permissions that allow only necessary operations
  • Monitoring for unusual activity: Implementing additional monitoring on MSMQ directories to detect potential abuse of the restored permissions
  • Isolating MSMQ servers: Ensuring that systems running MSMQ are properly segmented within network architecture
  • Planning for migration: Using this incident as impetus to begin migrating from MSMQ to supported messaging technologies

Long-Term Solutions and Migration Paths

Microsoft's documentation continues to emphasize that MSMQ is a legacy component and that organizations should plan migration to supported technologies. The company recommends several alternatives:

  • Azure Service Bus: Microsoft's cloud messaging service that offers similar features with enhanced scalability and integration capabilities
  • RabbitMQ: Open-source message broker that can be deployed on-premises or in cloud environments
  • Windows Communication Foundation (WCF) with NetMsmqBinding: For applications already using WCF, this provides a migration path while changing the underlying transport
  • gRPC or REST APIs: For newer applications, modern communication protocols may eliminate the need for message queuing entirely

Migration considerations include:

  • Application compatibility testing: Thorough testing of all applications that interact with MSMQ
  • Data migration: Moving existing messages from MSMQ queues to new systems
  • Training: Ensuring development and operations teams understand the new messaging technologies
  • Phased rollout: Implementing migration in stages to minimize business disruption

Timeline for Permanent Fix

Microsoft has indicated that a permanent fix will be included in a future cumulative update. Based on historical patterns for similar issues, the fix will likely arrive in one of two forms:

  1. Updated security permissions: A revised security model that maintains protection while allowing MSMQ to function
  2. MSMQ component update: An update to the MSMQ component itself that works within the new security constraints

Administrators should monitor Microsoft's official update announcements and apply the permanent fix as soon as it becomes available, then reassess the manual ACL modifications they may have implemented.

Recommendations for Affected Organizations

Based on community experiences and Microsoft's guidance, affected organizations should:

  1. Assess impact: Identify all systems and applications dependent on MSMQ
  2. Implement temporary fix: Apply the ACL modification using controlled change management processes
  3. Test thoroughly: Verify that all MSMQ-dependent functionality is restored
  4. Monitor systems: Watch for any security or performance issues following the permission changes
  5. Plan migration: Begin developing a migration strategy away from MSMQ to supported technologies
  6. Stay informed: Subscribe to Microsoft security advisories for notification of the permanent fix

For organizations with extensive MSMQ dependencies, this incident serves as a reminder of the risks associated with legacy technologies in modern Windows environments. While Microsoft maintains backward compatibility where possible, security updates can sometimes introduce breaking changes that require immediate attention from IT teams.

The December 2025 MSMQ issue highlights the ongoing challenge of balancing security improvements with compatibility for legacy enterprise systems. As Windows continues to evolve, organizations must maintain vigilance about update impacts and have contingency plans for when security measures affect critical business functionality.