Microsoft is again telling Windows 11 users to “ignore” a worrying-looking Event Viewer message after another round of updates and rollback confusion left Event ID 2042 entries populating security logs — a problem traced to an under-development firewall feature rather than a malfunctioning protection stack.
		
		
	
	
In late June 2025 Microsoft shipped an optional preview update for Windows 11 24H2 — KB5060829 — that introduced a surprising side effect: many machines began logging a recurring Event Viewer entry from Windows Firewall with Advanced Security. The event appears as Event ID 2042 with the short description “Config Read Failed” and the message “More data is available.” That entry is logged on every restart and looked, to many users, like a classic firewall failure. 
Microsoft’s initial diagnosis — posted to the Windows Release Health / support channels — was blunt and unusual for security-related output: the event is a logging artifact tied to a feature still under development, and it does not indicate a failure of Windows Firewall. Microsoft advised that no action is required and the entry can be safely ignored. That guidance, however, set off a chain of reactions in the community and among IT admins who rely on clean logs for monitoring and compliance. (learn.microsoft.com, borncity.com)
Where available, the public troubleshooting guidance and suitable KB entries were verified against Microsoft’s support pages and published cumulative update notes. For claims about the fix being rolled into a specific KB, the Microsoft support pages for KB5062553 and KB5062660 explicitly mention Event 2042 and the subsequent fixes; third-party reporting (BleepingComputer, WindowsLatest, Windows Central) corroborates both the symptom and the patching timeline. However, the exact experimental telemetry or the code path responsible has not been disclosed and cannot be independently verified from public sources. Treat those deeper technical assertions with caution until Microsoft publishes a developer-focused postmortem. (support.microsoft.com, bleepingcomputer.com)
Microsoft’s decision to tell users to ignore a firewall-related Event Viewer entry is defensible technically but risky operationally: it solves short-term panic at the cost of longer-term alert credibility. The factual record shows the company acknowledged the issue quickly, attempted to remediate through cumulative updates, and corrected a mistaken “Resolved” tag — but not before causing confusion. Administrators should apply a conservative, documented mitigation (targeted filtering and prioritized testing of Microsoft’s patch releases) and treat Microsoft’s Rollout Dashboard as a guide, not a definitive automated gate, until fixes are verified in controlled rings.
This was an avoidable communications lapse wrapped around a benign technical bug; the code fix is straightforward, but restoring trust will take clearer disclosures and better pre-release vetting for logging noise that looks, to many, like failure.
Source: Neowin Microsoft asks you to ignore a Windows 11 Event Viewer error yet again
				
			
		
		
	
	
 Background
Background
In late June 2025 Microsoft shipped an optional preview update for Windows 11 24H2 — KB5060829 — that introduced a surprising side effect: many machines began logging a recurring Event Viewer entry from Windows Firewall with Advanced Security. The event appears as Event ID 2042 with the short description “Config Read Failed” and the message “More data is available.” That entry is logged on every restart and looked, to many users, like a classic firewall failure. Microsoft’s initial diagnosis — posted to the Windows Release Health / support channels — was blunt and unusual for security-related output: the event is a logging artifact tied to a feature still under development, and it does not indicate a failure of Windows Firewall. Microsoft advised that no action is required and the entry can be safely ignored. That guidance, however, set off a chain of reactions in the community and among IT admins who rely on clean logs for monitoring and compliance. (learn.microsoft.com, borncity.com)
What happened, in plain terms
- The June 26, 2025 optional preview update (KB5060829) included code paths for a firewall-related feature that are not yet fully implemented.
- When that incomplete code executes during boot or service refresh, the firewall subsystem attempts a configuration read and the logging routine records Event 2042: “Config Read Failed — More data is available.”
- The firewall engine otherwise continues to operate normally — packets are filtered, rules are enforced, and no vulnerability or functional break was reported by Microsoft. (borncity.com, learn.microsoft.com)
Timeline of the public communications and fixes
June 26, 2025 — KB5060829 (preview)
The optional update began rolling out. Users who opted into the preview reported repeated Event 2042 entries after restart. Reporting and initial investigations by third-party outlets and community posts flagged the anomaly.July 2–3, 2025 — Microsoft acknowledgement: “ignore it”
Microsoft updated the Release Health dashboard to note the issue and to reassure users that the firewall is expected to function normally. The company explained the error is related to a feature that is “currently under development and not fully implemented.” At this point the official guidance was straightforward: ignore the false-positive log entries.July 8, 2025 — KB5062553 (Patch Tuesday) and a mistaken “Resolved” flag
Microsoft released the July Patch Tuesday cumulative update (KB5062553). Initial release notes and support pages listed the Event 2042 problem as addressed. Third-party testing and wide user reports, however, showed the issue persisted and, in some cases, KB5062553 expanded the number of affected devices. Microsoft later admitted that marking the issue as “Resolved” on July 8 was an error and corrected the status; the company apologized for the confusion and reiterated that a proper fix was planned. (support.microsoft.com, windowslatest.com)July 22, 2025 — KB5062660 preview (and later fixes)
Microsoft published a preview cumulative (KB5062660) that explicitly lists an Event 2042 fix in the Known Issues / Resolved section. The patch notes indicate the update addresses the logging bug and that the fix would be included in subsequent general releases. Follow-up cumulative updates scheduled for Patch Tuesday cycles later that month were intended to roll the repair to all users.Why Microsoft told people to ignore it — the technical and practical context
The company’s guidance hinges on two claims:- The firewall engine isn’t broken. Observations and Microsoft replies on official support channels indicate that firewall behaviour (rule evaluation, blocking, and application awareness) remained intact despite the log entries. Users can check Windows Security and firewall rule enforcement to verify basic functionality. (learn.microsoft.com, bleepingcomputer.com)
- The message is a logging artifact tied to under-development code. The literal error message — “More data is available” — suggests a partial read or a mismatch in expected buffer sizing when reading a configuration blob. Debug-level or developer-first code paths can, and sometimes do, leave diagnostic logging behind when feature flags or new data structures aren’t finalized. Microsoft framed this as an unavoidable byproduct of their development pipeline for the new firewall feature. The company has not publicly explained the feature’s specifics beyond “under development.”
Assessment: strengths of Microsoft’s handling
- Rapid acknowledgement: Microsoft moved fairly quickly from problem reports to a public Release Health advisory and support responses stating that engineers were aware and working on a fix. That transparency is preferable to silence. (learn.microsoft.com, borncity.com)
- Clear, actionable interim guidance: For most home users the guidance — ignore the event, no action required — is sensible because the Event Viewer entry is not an on-screen security warning and does not represent a direct compromise. Microsoft also provided an uninstall workaround (remove KB5060829) for those who prefer to avoid the noise.
- Eventual fix path: The logging bug was included in follow-up preview releases (KB5062660) and scheduled cumulative updates, showing Microsoft prioritized a code-level correction rather than indefinite suppression of logging behavior. That is the appropriate long-term approach.
Risks and weaknesses in Microsoft’s approach
- Normalization of “ignore” for security warnings: Telling users to disregard security-related log entries, even when correct, raises the specter of alert fatigue. Repeated advice to ignore warnings can train users and admins to skip or filter out messages that might be significant in the future. This is the larger trust risk.
- Communication mistakes magnified impact: The erroneous “Resolved” marking for KB5062553 and the subsequent retraction caused confusion and reduced confidence in Microsoft’s release notes and dashboard accuracy. For enterprises that gate updates based on Microsoft’s status flags, that mislabel was material. (windowslatest.com, bleepingcomputer.com)
- Opaque feature messaging: Microsoft identified the cause as “an experimental feature under development” but declined to describe the feature or its purpose. For security teams, granular details (even high-level) would have helped triage: e.g., whether the feature relates to policy distribution, telemetry, per-app isolation, or new filtering surfaces. Lack of detail increases the perceived risk.
What sysadmins and power users should do now
For different operational contexts there are practical, measured responses:- For home users and most power users:
- Confirm that Windows Defender Firewall is enabled and shows normal status in the Windows Security app.
- If the Event 2042 entries are an annoyance and KB5060829 was installed manually, uninstall KB5060829 from Settings → Windows Update → Update history → Uninstall updates, then reboot. The log noise should disappear.
- For sysadmins and enterprises:
- Filter or suppress Event 2042 in monitoring systems while tracking Microsoft’s Release Health updates, so the noise doesn’t trigger false incident escalations.
- Do not disable firewall rule logging broadly — target the specific event ID to avoid losing other, meaningful entries.
- Schedule patch testing: prioritize deployment of the cumulative updates that include the KB5062660 preview fix or later releases that explicitly list the Event 2042 resolution in their notes. Testing in a controlled ring will avoid surprises.
- Audit logs for true anomalies: ensure that suppression of Event 2042 does not mask other, unrelated alerts. Keep tight correlation with IDS/EDR telemetry.
- For compliance-bound or heavily regulated environments:
- Treat the noise as an administrative event — document the Microsoft advisory and the mitigation (filtering rule), and flag the timeline for removal once the official fix is deployed and validated.
Why this episode matters beyond one noisy event
The Event 2042 story is a case study in modern OS development trade-offs: faster feature cycles and feature flags give Microsoft the ability to iterate, but the same mechanisms can leak unfinished behavior into logged telemetry seen by millions. That leakage matters because:- Security logs are high-trust artifacts. They’re used for incident detection, compliance audits, and forensics. Producing spurious entries undermines those downstream uses.
- Enterprise alerting systems are sensitive: false positives cost time and money. Widespread noisy events lead to additional ticketing overhead and possible changes to detection thresholds that might reduce sensitivity to real incidents.
- Communication errors — such as prematurely marking a bug “Resolved” — compound operational friction. Administrators rely on Microsoft’s Release Health dashboard; inaccurate status updates force organizations to add manual verification overhead and to delay automated windows of deployment.
What Microsoft should do (and what it actually did)
Short-term, the correct steps are to:- Publish precise mitigation and timeframe guidance on their Release Health dashboard.
- Offer a narrow suppression/workaround (e.g., a documented Event ID filter or Group Policy setting) so enterprises can reduce false alarms without losing unrelated telemetry.
- Ensure update notes are accurate before changing status to “Resolved.”
Technical caveat and unverifiable details
Microsoft has said the event is linked to an experimental, under-development feature. It has not publicly disclosed the exact feature name, scope, or implementation details. Any technical explanations beyond Microsoft’s public statements — for example, precise reasons why a “More data is available” read condition is triggered — remain speculative without access to Microsoft’s internal change lists or engineering notes.Where available, the public troubleshooting guidance and suitable KB entries were verified against Microsoft’s support pages and published cumulative update notes. For claims about the fix being rolled into a specific KB, the Microsoft support pages for KB5062553 and KB5062660 explicitly mention Event 2042 and the subsequent fixes; third-party reporting (BleepingComputer, WindowsLatest, Windows Central) corroborates both the symptom and the patching timeline. However, the exact experimental telemetry or the code path responsible has not been disclosed and cannot be independently verified from public sources. Treat those deeper technical assertions with caution until Microsoft publishes a developer-focused postmortem. (support.microsoft.com, bleepingcomputer.com)
Practical takeaways — short and sharp
- The Event Viewer entry is Event ID 2042 from Windows Firewall with Advanced Security showing “Config Read Failed — More data is available.” That signature identifies the logging artifact.
- Microsoft’s immediate advice for end users: no action needed; the firewall is still functioning. Enterprises may choose to filter the event until a fully patched cumulative update is installed. (learn.microsoft.com, windowslatest.com)
- If you prefer not to see the event and you installed KB5060829 manually, uninstall that optional preview update and reboot. That clears the log noise.
- Watch for cumulative updates that explicitly list the Event 2042 fix (the preview KB5062660 and subsequent Patch Tuesday rollouts) and deploy through your normal testing rings.
Final assessment
This episode is a reminder that rapid feature development and large-scale OS maintenance operate under different constraints. The logged firewall error did not indicate an active vulnerability — Microsoft’s public guidance and follow-up patches support that conclusion — but the way the situation was communicated and managed amplified mistrust among administrators and advanced users.Microsoft’s decision to tell users to ignore a firewall-related Event Viewer entry is defensible technically but risky operationally: it solves short-term panic at the cost of longer-term alert credibility. The factual record shows the company acknowledged the issue quickly, attempted to remediate through cumulative updates, and corrected a mistaken “Resolved” tag — but not before causing confusion. Administrators should apply a conservative, documented mitigation (targeted filtering and prioritized testing of Microsoft’s patch releases) and treat Microsoft’s Rollout Dashboard as a guide, not a definitive automated gate, until fixes are verified in controlled rings.
This was an avoidable communications lapse wrapped around a benign technical bug; the code fix is straightforward, but restoring trust will take clearer disclosures and better pre-release vetting for logging noise that looks, to many, like failure.
Source: Neowin Microsoft asks you to ignore a Windows 11 Event Viewer error yet again
 
 
		
