Navigation section

Win11 Upgrade & 2025-07 CU causing MPSSVC break

K

KPE

New Member
Joined
Jul 29, 2025
Messages
1
We are in the process of upgrading endpoints in our environment to Windows 11. We have over 150 to do, with around 40 complete so far. Of the 40 we’ve done to date, we’ve have the following issue with 4 of them.

MPSSVC (Windows Defender Firewall Service) is ‘Running’ as intended before running the upgrade. ((Upgrade being ran via Windows 11 Upgrade Assistant)). Post-reboot following a successful upgrade the MPSSVC is stuck in a ‘Stopping’ state, can’t be interacted with via elevated services.msc / CMD / PowerShell or PSExec.

The symptoms are no contact with Intune, issues with AzureAD sync, MS store installs unable to complete, some MS Apps no longer working (SnippingTool, Photos). Windows Updates fail after installation stage, pre-boot error “Something didn’t go as intended — Not to worry, we’re undoing changes”. Most updates seem to go fine, the one causing the issue SEEMS to be KB5062553.

The workaround is mounting the W11 24H2 ISO, running setup.exe and running a repair to restore system files and keys. After this repair the MPSSVC runs as intended, Intune contact restored, Azure / work account issues disappear, MS Store apps install and work as expected. However, despite having auto-updates disabled via GPO’s (working for all other devices except newly upgraded ones) and a third party patching application installed that applies local GP’s preventing manual or automatic updates, rebooting the device following the repair pushes the KB5062553 update again, causing the issues to recur upon reboot.

Have attempted stopping Windows Update authority service, background intelligent transfer service and clearing the update cache. Have attempted clean manager to clear Windows Update. Have tried disabling scheduled tasks that run scans and trigger updates.

Is anyone else experiencing this heart ache?
 

Thank you for the detailed breakdown—this is a textbook “death spiral” for Defender Firewall post-upgrade with KB5062553 and Windows 11 24H2. You’re not alone; similar patterns have emerged in the enterprise sphere, though it’s not universal across all endpoints.
Let’s break down what’s happening and go deeper on solutions and root causes.

What’s Going On?​

  • MPSSVC (Microsoft Protection Service for Firewall) gets stuck “Stopping” after upgrade + cumulative update KB5062553.
  • Symptoms point to system services (defender/firewall/updates/apps) cascading failures—very likely from a corrupted service stack or registry/permission/driver issue introduced in the upgrade process and then triggered/exacerbated by the update.
  • Your workaround (in-place repair with setup.exe from ISO) essentially re-writes/repairs the component store and registry keys, which temporarily resolves it until the update re-applies.
  • GPO and 3rd-party patch blocking are ignored on these machines, which hints at deeper policy/config/permission corruption during or after upgrade.

Why Might It Happen?​

  1. Upgrade Path Corruption: Windows 11 upgrades (especially via Upgrade Assistant, not standard feature update rollout) can choke on legacy drivers, orphaned policies, or inconsistent registry states. The Firewall/Defender core services are particularly sensitive.
  2. Component Store or Permission Rot: If permissions on certain services, registry, or SxS components are broken, the update can fail to rewrite/update them, causing services to fail on restart.
  3. KB5062553 Is Potentially Toxic: This update is new and is known to touch Defender/Firewall internals, possibly exposing or introducing bugs.
  4. Policies Applied Pre- or Post-upgrade: Sometimes policies “stick” incorrectly after an upgrade, especially if blocked third-party tools interact with Windows Update or Defender settings at a low level.

Next Steps and Recommendations​

Immediate Remediation​

  • If you must keep devices functional, consider pausing further upgrades until this is rooted out—especially since it’s a 10% hit rate so far.
  • Try a component cleanup on one broken device before running repair install:
    1. Boot into Safe Mode and run:
      Code: 
      dism /online /cleanup-image /restorehealth
sfc /scannow
    2. Check and reset the state/permissions for MPSSVC:
      Code: 
      sc config mpssvc start= auto
sc sdset mpssvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;AU)
    3. Clear Windows Update cache again:
      Code: 
      net stop wuauserv
net stop bits
del /f /s /q %windir%\SoftwareDistribution\*
net start wuauserv
net start bits
    4. After that, attempt the update and reboot.
  • If not, stick with your repair install and try to block that specific KB until Microsoft issues a fix:
    • Hide KB5062553 using Windows Update Show/Hide tool (wushowhide.diagcab), or script hiding it on affected endpoints.

Preventing Recurrence​

  • Make absolutely sure any legacy Defender/Firewall GPOs and 3rd-party update blockers are NOT left over in the C:\Windows\System32\GroupPolicy\ folders or as scheduled tasks/services—these can block correct update application or rollbacks, even if GPO processing appears correct.
  • Consider switching to an LCU deployment method that’s less “blunt” than Upgrade Assistant, if possible. Use Feature Update deployment via Intune/WSUS/SCCM or simple ISO upgrade.
  • Create a testbed, upgrade in stages, and gather C:\Windows\Logs\CBS\CBS.log and C:\WINDOWS\WindowsUpdate.log from affected endpoints, as well as from working ones. Look for access denied, permission errors, or service registry/permission errors.

Community/Other Reports​

  • There’s chatter in sysadmin and Windows forums, but Microsoft’s public documentation hasn’t yet admitted to a “known issue.” You may want to formally raise a case through your support channel—if you haven’t, your evidence, logs, and steps-to-repro are excellent.

For Reference​

Final Thoughts​

  • For now, pause the rollout, use the repair install workaround, and block KB5062553 where needed.
  • Keep a careful set of logs. If more machines fail, escalate with MS support—this may help unearth a hotfix or a March/April 2025 Cumulative that fixes it.
If you post log snippets here (CBS.log or WindowsUpdate.log after the failed state), I’m happy to analyze and look deeper for any low-level causes or registry/service snafus!
Let me know if you’d like a full deployment script or detection/remediation automation for use across endpoints.
 

You must log in or register to reply here.
Back
Top