Navigation section

KB5063878 on Windows 11 24H2: WSUS 0x80240069, WUSA Errors, CertEnroll Noise

  • Thread Author
Microsoft has confirmed three distinct issues tied to the August 12, 2025 cumulative security update for Windows 11 version 24H2 (KB5063878), affecting enterprise update channels and producing noisy, though largely nonfunctional, error logs on some devices; Microsoft has issued rollbacks, workarounds, and a targeted fix rollout while urging most home users that they are unlikely to be affected.

A data center with interconnected servers and PCs via blue network lines, labeled 'Known Issue Rollback'.Background​

Windows 11 version 24H2 received its August 12, 2025 cumulative security and quality rollup as OS Build 26100.4946 (KB5063878), which included an updated servicing stack (SSU KB5065381). The update was published as part of Patch Tuesday and intended to deliver security patches alongside quality improvements carried forward from July's packages. Within days, three issues were reported and subsequently acknowledged by Microsoft:
  • Installation failures via Windows Server Update Services (WSUS) producing error code 0x80240069.
  • Installation failures when using the Windows Update Standalone Installer (WUSA) or double-clicking .msu files from a network share containing multiple .msu files, resulting in ERROR_BAD_PATHNAME and transient Update History inconsistencies.
  • Repeated CertificateServicesClient (CertEnroll) error events (Event ID 57) logged to Event Viewer referencing the Microsoft Pluton Cryptographic Provider, which Microsoft describes as cosmetic and non-impactful.
Multiple independent IT news outlets and Microsoft’s support pages reported and tracked these developments during the days following the release. Microsoft moved quickly to deploy mitigations through Known Issue Rollback (KIR) mechanisms and re-released or fixed affected services for enterprise update delivery, while making clear the issues primarily affect managed and enterprise environments that use WSUS, SCCM, or WUSA-based deployment workflows.

Overview: What Microsoft confirmed​

1. KB5063878 failing via WSUS with 0x80240069​

Microsoft acknowledged that the August 12 cumulative update might fail to install with error code 0x80240069 when installed via WSUS. The problem manifested as download/install failures and Windows Update service crashes on affected clients, with Event Log entries showing messages like “Service wuauserv has unexpectedly stopped” and the Windows Update service terminating unexpectedly.
  • Scope: Primarily enterprise and business environments using WSUS or System Center Configuration Manager (SCCM), since these depend on WSUS for internal update distribution.
  • Home users: Unlikely to be affected, as client devices that receive updates directly from Microsoft’s Update servers do not rely on WSUS infrastructure.
  • Microsoft response: An immediate mitigation was issued via Known Issue Rollback and, in many cases, the problem was marked resolved after a targeted re-release and WSUS synchronization steps.

2. WUSA/.msu installations failing with ERROR_BAD_PATHNAME​

A second issue arose when administrators deployed the KB via WUSA or by double-clicking a .msu file from a network share that contained multiple .msu files. On affected devices, WUSA operations could fail with ERROR_BAD_PATHNAME, and Update History in Settings might continue to show a pending restart even after the OS was rebooted.
  • Trigger conditions: Installing an .msu from a network share with multiple .msu files present (the bug did not occur if only one .msu file was in the share or if the file was stored locally).
  • Symptom: Installation failure with ERROR_BAD_PATHNAME and a temporary mismatch on the Update History page.
  • Microsoft response: The behavior was addressed with Known Issue Rollback for most unmanaged devices; guidance and a KIR Group Policy were provided for managed environments. Microsoft also advised a simple workaround: copy the .msu to local storage and install it from the local path, and wait at least 15 minutes post-restart for Update History to reflect the completed install.

3. CertificateServicesClient (CertEnroll) Event Viewer errors​

After installation of the July preview updates and the August security cumulative, a repeating Event ID 57 message from the CertificateServicesClient—CertEnroll—appeared in some systems. The message reads along the lines of “The ‘Microsoft Pluton Cryptographic Provider’ provider was not loaded because initialization failed.”
  • Impact: Microsoft classifies these entries as cosmetic / non-functional logging artifacts. The company says there is no impact to certificate processing or active Windows components as a result of these events.
  • Operational effect: The primary harm is log noise—repeated error-level entries increase the risk of masking real issues and create administrative overhead for administrators who collect and review logs centrally.
  • Microsoft guidance: The event can be safely ignored; a fix is planned for a future update.

Timeline and technical context​

  • August 12, 2025: Microsoft published the combined LCU and SSU for Windows 11 24H2 as KB5063878 (OS Build 26100.4946). The package included servicing stack improvements (SSU KB5065381).
  • August 13–14, 2025: Widespread reports surfaced from administrators and telemetry showing WSUS/SCCM install failures and WUSA errors. Microsoft acknowledged the WSUS issue in its Release Health notifications and provided KIR mitigations to enterprise customers.
  • August 14, 2025: Microsoft marked the WSUS install problem as resolved and advised admins to re-sync WSUS catalogs and refresh clients. For the WUSA/.msu issue, Microsoft rolled out KIR and published a Group Policy package for admins to deploy where necessary. The CertEnroll log issue was described as a known cosmetic artifact with a future fix planned.

Why this matters: scope, risk and operational impact​

Enterprise vs Home environments​

  • Enterprise impact is real and immediate. Organizations reliant on WSUS or SCCM to control update deployment experienced failed installs, service crashes, and central reporting showing widespread failures—events that can delay deployment of critical security fixes across fleets.
  • Home users are largely unaffected. Typical consumer devices that use Windows Update directly to fetch patches from Microsoft did not see the WSUS-specific failures. Home users may see the CertEnroll Event ID 57 log entry if they installed the preview or cumulative, but Microsoft considers that cosmetic.

Operational risks​

  • Delayed or failed deployment of security updates to managed fleets increases exposure time for critical vulnerabilities.
  • Noisy error logs from CertEnroll can complicate incident response and monitoring. When repeated error-level events proliferate, alerting systems and human triage become less reliable.
  • Workarounds that involve registry edits or manual Group Policy deployment introduce change-management risk if not vetted in test rings.

What Microsoft and admins did (and should do): fixes, rollbacks, and workarounds​

Microsoft employed a layered mitigation approach to minimize disruption and allow administrators to remediate quickly. Key actions and recommended steps are:
  • Known Issue Rollback (KIR): Microsoft delivered targeted KIR packages that can be pushed via Group Policy to affected managed devices. Admins should evaluate and deploy the Group Policy packages published for the KB in question to expedite remediation on managed networks.
  • KIR Group Policy items are exposed under Computer Configuration → Administrative Templates → the relevant Windows 11 24H2 KB entry (e.g., the KB5063878 KIR and the KB5062660 KIR items).
  • For enterprises that deployed the temporary KIR Group Policy earlier, Microsoft indicated those settings would no longer be necessary after the update-level fix was fully applied.
  • WSUS re-sync and re-release: Microsoft re-released the update or corrected server-side delivery and advised administrators to refresh and re-synchronize WSUS catalogs so clients can retrieve the corrected package. After re-synchronization, failed clients generally succeeded or were remediated by the KIR rollout.
  • WUSA / .msu workaround:
  • Save .msu files locally on the target device and install from local storage.
  • If Update History still reports a pending restart following a WUSA install, wait at least 15 minutes after reboot for the Settings app to refresh and reflect the true install state.
  • For managed devices, deploy Microsoft’s KIR Group Policy package to force the rollback behavior until a permanent fix ships.
  • Monitoring and telemetry:
  • Review Windows Update and Software Center logs for HRESULT/0x80240069 and WUAHandler fault lines (e.g., svchost.exe_wuauserv faults, ntdll module exceptions).
  • Track Event Viewer Application logs for repeated CertEnroll Event ID 57 entries to understand if they are the known cosmetic artifact or part of a larger certificate-handling issue requiring deeper triage.

Technical analysis: probable causes and deeper implications​

The three issues observed point to a pattern that frequently occurs in large, componentized operating systems:
  • Feature gates and partial code paths — The CertEnroll event appears tied to an incomplete or behind-the-scenes feature integration related to the Pluton cryptographic provider where initialization checks are present in released binaries but the runtime conditions required for full initialization are not met. Such partial implementations produce harmless but noisy error logs.
  • Update delivery plumbing fragility — The WSUS 0x80240069 and the WUSA ERROR_BAD_PATHNAME indicate fragile assumptions in update delivery code paths when content is delivered from local on-premise servers (WSUS/SCCM) or when installers execute from network shares containing multiple payloads. Differences between Microsoft Update delivery and on-prem delivery can expose latent bugs in servicing logic.
  • Interaction between SSUs and LCUs — The August release bundled an SSU with the LCU. SSUs change the servicing stack used to install future updates and can inadvertently surface compatibility issues in enterprise deployment tooling. When SSU and LCU interact with WSUS/SCCM processes, edge cases can trigger service crashes or path misresolution in WUSA.
Implications:
  • Organizations should treat on-prem update infrastructures as a first-class critical service subject to the same testing and rollback discipline applied to production applications.
  • Noisy log artifacts, even when harmless, reduce signal-to-noise ratio for security and operational monitoring and therefore represent a substantive operational risk.

Recommended actions for IT admins​

  • Validate scope before broad remediation
  • Identify clients showing 0x80240069, ERROR_BAD_PATHNAME, or CertEnroll Event ID 57.
  • Confirm whether affected devices obtain updates via WSUS/SCCM or directly from Windows Update.
  • Apply immediate mitigations
  • Re-sync WSUS catalogs and confirm the updated package is available.
  • Deploy the KIR Group Policy package Microsoft provided for KB5063878 and/or the KB5062660 KIR where applicable.
  • For WUSA/.msu installs, copy .msu files locally and install from the local path; verify Update History after at least 15 minutes post-reboot.
  • Use a staged rollout
  • Apply KIR and other mitigations to a limited test ring first, validate behavior, then push to broader production rings.
  • Keep change windows and back-out plans documented before deploying registry or Group Policy changes.
  • Preserve auditability
  • Do not globally suppress CertEnroll or other security-related logs; instead, filter and tag the known cosmetic events so they can be distinguished from genuine failures.
  • Update detection rules in SIEM to avoid alert fatigue while preserving the ability to detect correlated or new certificate errors.
  • Communicate with stakeholders
  • Inform security, compliance, and operations teams about the cosmetic event and the remediation timeline so auditors and SOC analysts understand the distinction between log noise and operational faults.

Advice for home users and power users​

  • Consumers and unmanaged home devices are unlikely to experience the WSUS 0x80240069 failure.
  • If a home device shows WUSA install failure or Update History stuck after a reboot, copy the .msu locally and reinstall, or simply allow Windows Update to install the cumulative automatically; the issue is transient and has been mitigated for most unmanaged devices.
  • Expect a cosmetic Event Viewer entry referencing CertEnroll on some devices; Microsoft’s guidance indicates it is non-functional and safe to ignore.

What to watch next​

  • Microsoft’s patch cadence: watch for a follow-up cumulative or out-of-band release that explicitly lists the CertEnroll logging fix and any servicing stack adjustments.
  • WSUS/SCCM telemetry: verify that re-synchronization clears the backlog of failed installs and that future monthly rollups do not reintroduce the 0x80240069 failure.
  • Log hygiene changes: expect updated guidance from Microsoft and community tooling authors on filtering the CertEnroll Event ID 57 without masking real certificate errors.

Strengths and weaknesses of Microsoft’s response​

Strengths​

  • Rapid triage and public acknowledgement: Microsoft moved quickly to label the problems as known and to communicate mitigation options for administrators.
  • Use of Known Issue Rollback (KIR): KIR provides a surgical, low-risk method for reversing problematic behavior at scale without requiring a full uninstall of cumulative packages.
  • Clear remediation paths for managed and unmanaged environments: Microsoft published practical, low-friction workarounds (WSUS re-sync, local .msu install) that allowed organizations to restore update flow quickly.

Weaknesses and risks​

  • Communication nuance: Microsoft’s main KB article for KB5063878 initially did not list these problems under “Known issues” in the LCU's static support page, requiring administrators to monitor the Release Health dashboard and community reports. That gap can slow enterprise response.
  • Log noise vs. trust: Repeated advice to “ignore” security-related error logs risks training operators to overlook warnings. Cosmetic or not, error-level entries that reference cryptographic providers cause alarm in security-conscious environments.
  • Dependence on KIR and Group Policy rollouts: While effective, KIR distribution and Group Policy deployment require administrative effort and testing. Organizations with limited admin resources might face delays and inconsistent remediation across fleets.

Final assessment and practical takeaways​

The August 12, 2025 KB5063878 release illustrates the persistent complexity of modern OS servicing. Microsoft addressed a set of moderately disruptive issues—primarily affecting enterprise update automation and administrative log hygiene—using the known tools for targeted rollbacks and server-side fixes. For most home users, impact is minimal; for enterprises, the event serves as a reminder that update pipelines (WSUS, SCCM, WUSA) are critical infrastructure and must be tested, monitored, and treated with an appropriate change-control posture.
Practical checklist:
  • Re-sync WSUS and confirm the corrected KB package is available.
  • Deploy Microsoft’s KIR Group Policy as needed, after testing in a pilot group.
  • For WUSA installs from network shares, copy .msu files locally before installation.
  • Tag and filter CertEnroll Event ID 57 in central logging so it does not drown out genuine alerts.
  • Maintain staged update rings and test next monthly rollup in a representative environment before broad deployment.
These steps will help restore update reliability, prevent prolonged exposure to unpatched vulnerabilities, and reduce operational friction caused by noisy logs. The underlying lesson is operational: robust change management, combined with disciplined telemetry and fast application of vendor-provided mitigations, remains the most effective defense when update regressions occur.
The update cycle for Patch Tuesday will continue to be the primary channel for cumulative fixes; administrators should monitor release notes and the Windows release health dashboard closely for follow-up fixes and any further guidance from Microsoft.
Source: thewincentral.com Microsoft confirms 3 Windows 11 issues post KB5063878 update - WinCentral
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
Windows 11 August 2025 KB5063878: WSUS 0x80240069, Recovery Failures & OOB Fix
Replies
0
Views
383
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 11 August 2025 KB5063878: WSUS 0x80240069 Fix and NVMe Storage Mystery
Replies
0
Views
90
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
KB5063878 for Windows 11 24H2: WSUS install 0x80240069 & drives disappearing risk
Replies
0
Views
257
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
WUSA Regression and WSUS Issues: Enterprise Patching with KIR Mitigations
Replies
0
Views
146
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 11 24H2 KB5063878 0x80240069: WSUS/SCCM Failures and Mitigations
Replies
0
Views
357
ChatGPT
ChatGPT
Back
Top