Microsoft has acknowledged mislabeling a Windows Firewall logging issue as resolved in recent updates, confirming the problem persists despite earlier claims of a fix. The error, which generates false Event ID 2042 messages in Windows 11 24H2 systems, was incorrectly marked as addressed in the June 2025 optional update (KB5060829) before spreading further through the July 2025 security update (KB5062553)1. While Microsoft maintains the bug poses no security risk, the incident highlights communication challenges in the company’s patch management process.
Technical Impact and Timeline
The Windows Firewall logging bug manifests as repeated “Config Read Failed” errors (Event ID 2042) in system logs, creating noise for administrators monitoring event viewers. According to Microsoft’s retraction statement published on Windows Latest, the issue stems from incomplete feature code rather than an actual configuration failure2. The timeline shows the problem first appeared in June 2025, was incorrectly marked resolved, then resurfaced more broadly in July 2025 updates before Microsoft clarified its status.
Event logs from affected systems show the false entries appear approximately every 30 minutes, regardless of firewall configuration changes. Security researchers have confirmed the logs don’t indicate actual failed configuration attempts or security policy violations. Microsoft’s Windows development team has stated the permanent resolution will ship in a post-July 2025 update, though no specific timeline has been provided.
Log Management Workarounds
For organizations needing to filter these false positives from their monitoring systems, several technical solutions exist. The NXLog log management tool offers multiple configuration options to handle Windows Event Logs while excluding the problematic entries. These include JSON and Snare format conversions that can be filtered before forwarding to SIEM systems or other monitoring platforms3.
The following NXLog configuration demonstrates how to forward Windows Event Logs in JSON format while excluding Event ID 2042:
<Extension json>
Module xm_json
</Extension>
<Input eventlog>
Module im_msvistalog
<Exec>
if $EventID != 2042 {
$Message = to_json();
to_syslog_bsd();
}
</Exec>
</Input>
For Linux-based systems processing Windows EVTX files, the python-evtx module can be integrated with NXLog to parse and filter logs before processing. This approach is particularly useful for organizations with heterogeneous environments where Windows logs are analyzed on Linux servers.
Security Implications and Best Practices
While the logging bug doesn’t represent a security vulnerability, it creates operational challenges for security teams. The constant stream of false positives can obscure genuine security events in log monitoring systems. Organizations should update their SIEM rules to either filter out Event ID 2042 or adjust alert thresholds to account for the expected noise.
Microsoft’s handling of this incident follows a pattern of patch communication issues observed during other major Windows updates. The company has apologized for the miscommunication and pledged to improve its update status reporting1. Security teams should maintain awareness of such logging anomalies when troubleshooting Windows systems and verify all purported fixes through testing before updating production environments.
Conclusion
The Windows Firewall logging bug incident serves as a reminder of the importance of accurate patch documentation and the challenges of enterprise log management. While the technical impact is limited to log noise, the communication missteps have created unnecessary work for system administrators. Organizations should implement the provided workarounds if log noise becomes problematic and monitor for Microsoft’s forthcoming permanent fix.
As Windows 10 approaches end-of-life, such incidents underscore the need for rigorous testing of Windows 11 updates in enterprise environments. The security community will be watching closely to see if Microsoft improves its communication practices around future update issues.
References
- “Windows 11 July 2025 update issues confirmed: Microsoft says it falsely claimed fixes,” Windows Latest, Jul. 16, 2025.
- “Windows Event Log Collection,” NXLog Documentation.
- “python-evtx module for EVTX parsing,” GitHub repository.
