[German]Microsoft has distributed security updates (e.g. KB5049981 for Windows 10 21H2-22H2) for the January 2025 Patchday (14.1.2025). After installing this update, administrators noticed that the SgrmBroker service (broker for runtime monitoring of system monitoring) no longer starts under Windows 10 and Windows Server 2022. Microsoft has now commented on this issue.
Advertising
What exactly is the SgrmBroker problem?
Blog reader armin posted this comment and wrote that after installing the January 2025 security updates, the SgrmBroker service (broker for runtime monitoring of system monitoring) no longer starts for him.
The name System Guard Runtime Monitor indicates that the service is part of System Guard and the exploit protection of Defender. There is some more information in this article and here, and there is also an analysis of the feature here. The reader wrote in his comment that under:
C:\WINDOWS\system32\
four files with the corresponding name have the date of the update installation from timestamps. After uninstalling the January 2025 update, the problem was solved.
The reader has observed this behavior on some Windows 10 clients (update KB5049981) and Windows Server 2022 (update KB5049983) in virtual machines (VMs), where the VMs were running under Hyper-V.
Advertising
This observation by the blog reader was confirmed by other blog readers. Bolko writes that the error code 0x80070005 (access denied) is thrown. This means that the service can no longer monitor the integrity of Windows. There are also several reports on the Internet (see Microsoft Answers entries here and here) about this problem. I had taken up the whole thing in the article Windows 10/Server 2022: SgrmBroker service no longer starts after Jan. 2025 update (KB5049981).
Microsoft confirms the issue
Thomas R. recently sent me an e-mail informing me that Microsoft has now addressed the problem in a support report (the article is only accessible to Microsoft account holders with certain subscriptions).
In the support article in question, Microsoft confirms that administrators may find an error related to SgrmBroker.exe in the Windows Event Viewer if the Windows updates from January 14, 2025 (from the screenshot above) or later were installed.
This error entry can be found under Windows Logs > System as event 7023. A text similar to "The System Guard Runtime Monitor Broker service was terminated with the following error: %%3489660935" is displayed. Apart from the entry in the Windows Event Viewer, nothing happens and there is no error dialog box or notification.
Obsolete component in Windows
Microsoft then explains that SgrmBroker.exe refers to the System Guard Runtime Monitor Broker Service. This service was originally developed for Microsoft Defender. However, this service has long since ceased to be part of the active Defender components.
Although the Windows updates released on January 14, 2025 conflict with the initialization of this service, according to Microsoft, there should be no impact on performance or functionality. The security level of a device will not be changed by this issue. This service has already been disabled in other supported versions of Windows, and SgrmBroker.exe currently serves no purpose.
No need for action
Microsoft states that there is no need to start this service manually or configure it in any way (this could cause unnecessary errors). Future Windows updates will adjust the components used by this service and SgrmBroker.exe.
Users should therefore not attempt to manually uninstall or remove this service or its components. No special measures are required to resolve the problem. The service can be safely disabled if required to prevent the error from appearing in the Event Viewer. You can do this by following the steps below:
- Open a command prompt window (start cmd with Run as administrator).
- Enter the command sc.exe config sgrmagent start=disabled in the window.
A message may then appear. Then enter the following command in the command prompt:
reg add HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start /d 4 /t REG_DWORD
The prompt window can then be closed. The intervention prevents the corresponding error from being displayed in the event display the next time the device is started. These steps may be restricted by the group policies defined by your organization. Microsoft is working on a solution and will provide an update in one of the next versions.
Below is the text of the support article:
Event Viewer displays an error for System Guard Runtime Monitor Broker service Status Mitigated Affected platforms Client Versions Message ID Originating KB Resolved KB Windows 10, version 22H2 WI982633 KB5049981 - Server Versions Message ID Originating KB Resolved KB Windows Server 2022 WI982632 KB5049983 - The Windows Event Viewer might display an error related to SgrmBroker.exe, on devices which have installed Windows updates released January 14, 2025 (the Originating KBs listed above) or later. This error can be found under Windows Logs > System as Event 7023, with text similar to 'The System Guard Runtime Monitor Broker service terminated with the following error: %%3489660935'. This error is only observable if the Windows Event Viewer is monitored closely. It is otherwise silent and does not appear as a dialog box or notification. SgrmBroker.exe refers to the System Guard Runtime Monitor Broker Service. This service was originally created for Microsoft Defender, but it has not been a part of its operation for a very long time. Although Windows updates released January 14, 2025 conflict with the initialization of this service, no impact to performance or functionality should be observed. There is no change to the security level of a device resulting from this issue. This service has already been disabled in other supported versions of Windows, and SgrmBroker.exe presently serves no purpose. Note: There is no need to manually start this service or configure it in any way (doing so might trigger errors unnecessarily). Future Windows updates will adjust the components used by this service and SgrmBroker.exe. For this reason, please do not attempt to manually uninstall or remove this service or its components. Workaround: No specific action is required, however, the service can be safely disabled in order to prevent the error from appearing in Event Viewer. To do so, you can follow these steps: 1) Open a Command Prompt window. This can be accomplished by opening the Start menu and typing 'cmd'. The results will include "Command Prompt" as a System application. Select the arrow to the right of "Command Prompt" and select "Run as administrator". 2) Once the window is open, carefully enter the following text: sc.exe config sgrmagent start=disabled 3) A message may appear afterwards. Next, enter the following text: reg add HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start /d 4 /t REG_DWORD 4) Close the Command Prompt window. This will prevent the related error from appearing in the Event Viewer on subsequent device start up. Note that some of these steps might be restricted by group policy set by your organization. Next steps: We are working on a resolution and will provide an update in an upcoming release.
Advertising
