[German]Microsoft has distributed the security update KB5049981 for Windows 10 21H2-22H2 for the January 2025 Patchday (14.1.2025). After installing this update, administrators notice that the SgrmBroker service (broker for runtime monitoring of system monitoring) no longer starts. Administrators also notice the same behavior under Windows Server 2022. I will summarize the information I have in this regard.
Advertising
Windows 10 Update KB5049981
Cumulative Update KB5049981 is available for Windows 10 version 21H2 (Enterprise and Education) and all Windows 10 22H2 variants. The update contains security fixes and updates the Windows Kernel Vulnerable Driver Blocklist file (DriverSiPolicy.p7b). I had reported in the blog post Patchday: Windows 10/11 Updates (January 14, 2025).
SgrmBroker service no longer starts
German blog reader armin has responded promptly with this comment and writes that after installing the January 2025 security updates, the SgrmBroker service (broker for runtime monitoring of system monitoring) no longer starts.
The name System Guard Runtime Monitor indicates that the service is part of System Guard and the exploit protection of Defender. You can find more information in this article and here. And here is also an analysis of the feature, that hasn't been updated for y yars.The reader writes in his comment that in the folder:
C:\WINDOWS\system32\
four files with the corresponding name have the date of the update installation from timestamps. After uninstalling the January 2025 update, the problem was resolved.
Advertising
The reader has previously observed this behavior with some Windows 10 clients (update KB5049981) and Windows Server 2022 (update KB5049983) in virtual machines (VMs), where the VMs were running under Hyper-V.
This observation by the blog reader was confirmed by other blog readers. Bolko writes that the error code 0x80070005 (access denied) is thrown. This means that the service can no longer monitor the integrity of Windows – Microsoft has shot itself down.
Post on Microsoft Answers
On Microsoft Answers there is the thread Error 7023 Service Control Manager….System Guard Runtime Monitor Broker.exe terminated, in which an affected person also confirms the problem as of January 15, 2025. Affected are a HP Omen Desktop and a HP Envy Laptop with Windows 10 22H2.
Since installing the January 2025 update KB5049981, the System Guard Runtime Monitor Broker service (SgrmBroker.exe) no longer starts. Event 7023 is displayed in the Event Viewer with the following data:
Log Name: System
Source: Service Control Manager
Date: 1/14/2025 3:48:16 PM
Event ID: 7023
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DESKTOP-
Description:
The System Guard Runtime Monitor Broker service terminated with the following error:
%%3489660935
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7023</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
[...}
Another affected person confirms this problem for Windows 10 and an administrator has posted the following screenshot from Windows Server 2022 online.
On reddit.com, the problem with the broken service is also confirmed in this thread and in this thread. It doesn't have such a direct impact if the service is no longer running – Windows can simply no longer determine its own integrity. Let's see when Microsoft will comment on this.
Similar articles
Microsoft Security Update Summary (January 14, 2025)
Patchday: Windows 10/11 Updates (January 14, 2025)
Patchday: Windows Server Updates (January 14, 2025)
Patchday: Microsoft Office Updates (January 2025)
Review: Windows Patchday issues January 2025
Windows 10/Server 2022: SgrmBroker service no longer starts after Jan. 2025 update (KB5049981)
Attention: Problems with Windows January 2025 updates and Citrix environments (session recordings)
Advertising
