KB5058920: addresses a known issue where Audit Logon/Logoff events in the local policy

April 11, 2025—KB5058920 (OS Build 20348.3561) Out-of-band

Improvements
ccThis non-security update includes quality improvements. When you install this KB:

• It addresses a known issue where Audit Logon/Logoff events in the local policy of the Active Directory Group Policy might not show as enabled on the device even if they are enabled and working as expected. This can be observed in the Local Group Policy Editor or Local Security Policy, where local audit policies show the "Audit logon events" policy with Security Setting of "No auditing".
  -
• Note: Home users are unlikely to be affected by this issue, as logon auditing is generally only necessary in enterprise environments.

Known issues in this update

Citrix
Symptom

Devices that have certain Citrix components installed might be unable to complete installation of the January 2025 Windows security update. This issue was observed on devices with Citrix Session Recording Agent (SRA) version 2411. The 2411 version of this application was released in December 2024.

Affected devices might initially download and apply the January 2025 Windows security update correctly, such as via the Windows Update page in Settings. However, when restarting the device to complete the update installation, an error message with text similar to “Something didn’t go as planned. No need to worry – undoing changes” appears. The device will then revert to the Windows updates previously present on the device.

This issue likely affects a limited number of organizations as version 2411 of the SRA application is a new version. Home users are not expected to be affected by this issue.

Workaround
Citrix has documented this issue, including a workaround, which can be performed prior to installing the January 2025 Windows security update. For details, see Citrix’s documentation.

Microsoft is working with Citrix to address this issue and will update this documentation once a resolution is available. ​​​​​​​

System Guard Runtime Monitor Broker service

Symptom
The Windows Event Viewer might display an error related to SgrmBroker.exe, on devices that have installed Windows updates released January 14, 2025, or later. This error can be found under Windows Logs > System as Event 7023, with text similar to ‘The System Guard Runtime Monitor Broker service terminated with the following error: %%3489660935’.

This error is only observable if the Windows Event Viewer is monitored closely. It is otherwise silent and does not appear as a dialog box or notification.

SgrmBroker.exe refers to the System Guard Runtime Monitor Broker Service. This service was originally created for Microsoft Defender, but it has not been a part of its operation for a very long time. Although Windows updates released January 14, 2025, conflict with the initialization of this service, no impact to performance or functionality should be observed. There is no change to the security level of a device resulting from this issue. This service has already been disabled in other supported versions of Windows, and SgrmBroker.exe presently serves no purpose.

Note: There is no need to manually start this service or configure it in any way (doing so might trigger errors unnecessarily). Future Windows updates will adjust the components used by this service and SgrmBroker.exe. For this reason, please do not attempt to manually uninstall or remove this service or its components.

Workaround
This issue is addressed in KB5055526.