Table of Contents
- Why won’t third-party services start on my Windows Server 2025 Domain Controller after update KB5072033?
- Critical Advisory: Windows Server 2025 Service Failures Post-KB5072033
- Technical Root Cause
- Identifying the Issue
- Verified Workarounds and Solutions
- The Recommended Fix: Delayed Startup
- Summary Recommendation
Why won’t third-party services start on my Windows Server 2025 Domain Controller after update KB5072033?
Critical Advisory: Windows Server 2025 Service Failures Post-KB5072033
System administrators managing Windows Server 2025 infrastructure must exercise immediate caution regarding the December 2025 security update, KB5072033. Validated reports indicate this cumulative update triggers critical failures on servers configured as Domain Controllers (DCs).
The primary symptom is the refusal of third-party background services to start upon reboot. Furthermore, this blockage creates a deadlock that prevents the Windows Installer service (MSI) from functioning, making it impossible to install or remove software.
Technical Root Cause
The friction stems from changes introduced in the December 9, 2025 rollout. Microsoft adjusted the AppX Deployment Service (Appxsvc) configuration, changing its startup type to “Automatic.” While intended to improve reliability for Universal Windows Platform (UWP) apps, this change creates resource contention during the boot sequence of a Domain Controller.
On a DC, the authentication subsystem loads differently than on a standard member server. When KB5072033 forces Appxsvc to start early, it appears to conflict with third-party service initialization, causing those services to crash or hang. This hang leaves the service control manager in a locked state, subsequently blocking MSI execution.
Identifying the Issue
If you manage a Windows Server 2025 environment, look for these specific indicators:
- Role Specificity: The issue exclusively impacts Domain Controllers. Demoting the server to a member server resolves the symptoms, confirming the correlation with DC architecture.
- Service Failures: Mission-critical third-party agents (backup, monitoring, security) fail to launch automatically.
- Installer Lockout: Attempting to run any .msi file results in a timeout or generic error.
- Timeline: Symptoms manifest immediately following the installation of KB5072033.
Verified Workarounds and Solutions
Community analysis and Reddit discussions have isolated specific remediation steps. Do not disable User Account Control (UAC) as a permanent fix, despite it alleviating symptoms; doing so compromises server security.
The Recommended Fix: Delayed Startup
The most effective solution that preserves security integrity involves adjusting the service behavior:
- Identify the failing third-party services in services.msc.
- Change their Startup Type from “Automatic” to “Automatic (Delayed Start)”.
This adjustment creates a timing buffer. It allows the operating system and critical Windows subsystems (including the modified Appxsvc) to stabilize before the third-party software attempts to initialize. This prevents the boot-time crash and keeps the service control manager free for other tasks, such as software installation.
Summary Recommendation
Defer the deployment of KB5072033 on Domain Controllers until you can validate the “Delayed Start” configuration in a staging environment.