MC1085489 – Take action: Disable Secure Time Seeding (STS) in Windows Server 2016 and later

Product:

Windows, Windows Server

Platform:

Online, World tenant

Status:

Change type:

Admin impact

Links:

Details:

Microsoft recommends disabling the Secure Time Seeding (STS) in Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 due to reported timekeeping issues. Additionally, organizations should review and ensure proper time synchronization and monitoring on critical servers.

When will this happen:
Microsoft recommends applying this disablement as soon as possible. This recommendation applies to all existing deployments of Windows Server 2016 and later (including domain controllers and member servers).

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-05-31

updated:
2025-05-31

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Timekeeping Errors
Disabling STS without preparation may lead to timekeeping errors affecting time-sensitive applications and services, such as Active Directory and VM hosts.
   - roles: IT Admin, System Administrator
   - references: https://learn.microsoft.com/archive/blogs/w32time/secure-time-seeding-improving-time-keeping-in-windows, https://learn.microsoft.com/troubleshoot/windows-server/active-directory/sts-recommendations-for-windows-server

Service Disruption
Potential service disruptions may occur if time-sensitive workloads fail due to improper time synchronization after STS is disabled.
   - roles: IT Admin, Network Engineer
   - references: https://learn.microsoft.com/archive/blogs/w32time/secure-time-seeding-improving-time-keeping-in-windows, https://learn.microsoft.com/troubleshoot/windows-server/active-directory/sts-recommendations-for-windows-server

User Authentication Issues
Users may experience authentication issues if Active Directory time synchronization is disrupted, leading to login failures.
   - roles: Help Desk Support, IT Admin
   - references: https://learn.microsoft.com/archive/blogs/w32time/secure-time-seeding-improving-time-keeping-in-windows, https://learn.microsoft.com/troubleshoot/windows-server/active-directory/sts-recommendations-for-windows-server

Increased Support Tickets
The change may lead to an increase in support tickets from users facing issues related to time-sensitive applications and services.
   - roles: Help Desk Support, IT Admin
   - references: https://learn.microsoft.com/archive/blogs/w32time/secure-time-seeding-improving-time-keeping-in-windows, https://learn.microsoft.com/troubleshoot/windows-server/active-directory/sts-recommendations-for-windows-server

Operational Downtime
If critical services fail due to timekeeping issues, it may result in operational downtime affecting business processes.
   - roles: IT Admin, Operations Manager
   - references: https://learn.microsoft.com/archive/blogs/w32time/secure-time-seeding-improving-time-keeping-in-windows, https://learn.microsoft.com/troubleshoot/windows-server/active-directory/sts-recommendations-for-windows-server

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Time Synchronization Practices
By disabling Secure Time Seeding (STS), organizations can implement more robust time synchronization practices tailored to their specific environment, reducing the risk of timekeeping issues that can affect critical services.
   - next-steps: Conduct an audit of current time synchronization methods and tools in use. Implement NTP (Network Time Protocol) solutions or other time synchronization tools that meet the organization's requirements. Train IT staff on the new processes.
   - roles: IT Administrators, System Engineers, Network Engineers
   - references: https://learn.microsoft.com/archive/blogs/w32time/secure-time-seeding-improving-time-keeping-in-windows, https://learn.microsoft.com/troubleshoot/windows-server/active-directory/sts-recommendations-for-windows-server

Improved Monitoring of Timekeeping Systems
Disabling STS allows for the introduction of monitoring solutions that can proactively alert IT staff to timekeeping discrepancies, enabling faster resolution of issues before they impact critical services.
   - next-steps: Research and implement monitoring tools that can track time synchronization status and alert on anomalies. Develop a response plan for addressing timekeeping issues as they arise.
   - roles: IT Administrators, System Engineers, Operations Managers
   - references: https://learn.microsoft.com/archive/blogs/w32time/secure-time-seeding-improving-time-keeping-in-windows, https://learn.microsoft.com/troubleshoot/windows-server/active-directory/sts-recommendations-for-windows-server

Streamlined IT Administrative Tasks
Disabling STS can simplify IT administrative tasks related to time management across servers, allowing for more straightforward configurations and reducing the complexity of troubleshooting timekeeping issues.
   - next-steps: Review and document current administrative processes related to time management. Create streamlined guidelines for time configuration and troubleshooting, and provide training to relevant staff.
   - roles: IT Administrators, Help Desk Staff, System Engineers
   - references: https://learn.microsoft.com/archive/blogs/w32time/secure-time-seeding-improving-time-keeping-in-windows, https://learn.microsoft.com/troubleshoot/windows-server/active-directory/sts-recommendations-for-windows-server

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only