Microsoft is launching emergency patches to correctly display local audit logon policies in Active Directory Group Policy. These so-called out-of-band updates are available for various Windows versions, including Windows 11 and various Windows Server editions.
The problem mainly manifests itself as a reporting error. According to Microsoft, in certain cases logon and logoff events can still be correctly registered, even though the policy does not appear to be enabled.
Confusing report
“We have identified an issue where audit logon/logoff events in the local policy of Active Directory Group Policy may not appear as enabled, even if they are enabled and expected to work,” Microsoft explains in an update for Microsoft 365 administrators.
The inconsistency is visible in the Local Group Policy Editor or Local Security Policy, where local audit policies show the ‘Audit logon events’ setting with the ‘No auditing’ security setting, while auditing is indeed taking place.
The ‘Audit logon events’ policy setting is an important function for system administrators. When it is enabled, they can keep track of logon and logoff events and generate new entries in the audit logs. These logs register all user and service activities and are essential during security investigations and for compliance purposes.
Available patches
Last Friday, Microsoft released the following updates to address the Active Directory audit logon policy problem:
- Windows 11, versions 23H2 and 22H2 (KB5058919)
- Windows Server 2022 (KB5058920)
- Windows 10 Enterprise LTSC 2019 and Windows Server 2019 (KB5058922)
- Windows 10 LTSB 2016 and Windows Server 2016 (KB5058921)
- Azure Stack HCI, version 22H2 (KB5058920)
These emergency patches are not security patches, and only need to be installed by affected organizations. The out-of-band updates can only be downloaded and installed via the Microsoft Update Catalog for the relevant Windows versions.
Context within Windows Server issues
This is not the first problem with updates for Windows systems. Earlier this year, security updates for Windows 11, 10 and various Windows Server versions already caused problems with VPN connections, forcing some users to uninstall updates.
Windows Server systems also have to contend with update-related challenges more often. For example, Microsoft recently reported that security updates for Windows Server 2025 lead to freezing Remote Desktop sessions, where mouse and keyboard input no longer respond.
Earlier today, we wrote about another problem that only affects Windows Server 2025: losing contact with domain controllers after a restart. In that case, servers load the standard firewall profile instead of the domain profile, which disrupts applications and services.
The current out-of-band updates are cumulative, which means that users do not have to install previous updates before applying these. Microsoft emphasizes that home users are not likely to be affected by this known problem, as logon auditing is mainly needed in business environments.