Windows Server 2019 VPN Routing and Remote Access Service Fails to Start with Error 8007042a After KB4480116 Update


8 views

After deploying the January 2019 cumulative update KB4480116 on Windows Server 2019 Datacenter edition, administrators began reporting service startup failures in Routing and Remote Access (RRAS). The specific error code 8007042a appears when attempting to start the service through either the Services console or PowerShell:

# PowerShell reproduction attempt
Start-Service RemoteAccess -ErrorAction Stop

The issue consistently manifests under these conditions:

  • Windows Server 2019 (build 1809) with RRAS role installed
  • KB4480116 or subsequent updates containing the same binaries
  • Both domain-joined and standalone server configurations

Examining the system logs reveals two critical events:

Event ID 7023: The Routing and Remote Access service terminated with the following error: 
The dependency service or group failed to start.

Event ID 7000: The RemoteAccess service failed to start due to the following error: 
The dependency service or group failed to start.

Until Microsoft releases an official fix, these are the verified solutions:

# Method 1: Uninstall the problematic update
wusa /uninstall /kb:4480116 /quiet /norestart

# Method 2: Manual service dependency modification (advanced)
sc config RemoteAccess depend= "RasMan/TapiSrv/Netman/Nsi"

For environments requiring the security updates, this registry tweak may help:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess]
"DependOnService"=hex(7):52,00,61,00,73,00,4d,00,61,00,6e,00,00,00,54,00,61,\
00,70,00,69,00,53,00,72,00,76,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,00,\
00,00,4e,00,73,00,69,00,00,00,00,00

Track these KB articles for resolution updates:

  • KB4487044 - February 2019 cumulative update
  • KB4489899 - March 2019 security-only update

Use this PowerShell snippet to check your system's status:

$service = Get-Service RemoteAccess
$update = Get-HotFix | Where-Object {$_.HotFixID -eq "KB4480116"}

[PSCustomObject]@{
    ServiceStatus = $service.Status
    ServiceStartType = $service.StartType
    KBInstalled = if($update) {$true} else {$false}
    LastBootTime = (Get-CimInstance Win32_OperatingSystem).LastBootUpTime
}

After applying Microsoft's January 2019 cumulative update KB4480116 on Windows Server 2019 Datacenter edition, the Routing and Remote Access service (RemoteAccess) fails to start with error code 8007042a. This prevents VPN connectivity entirely.

When attempting to start the service manually via PowerShell:

Start-Service RemoteAccess -Verbose
# System.InvalidOperationException: Cannot start service RemoteAccess (RemoteAccess) on computer '.'.
# Windows could not start the RemoteAccess service on Local Computer.
# Error 8007042a: The dependency service or group failed to start.

The service dependencies show an interesting pattern when queried:

Get-Service RemoteAccess -RequiredServices | Format-Table -AutoSize
Name          Status  StartType
----          ------  ---------
EventLog      Running Automatic
RasMan        Stopped Manual
Bfe           Running Automatic
mpssvc       Stopped Manual

KB4480116 introduces a new dependency chain where the RemoteAccess service now requires:

  1. Base Filtering Engine (BFE) running
  2. Windows Firewall (mpssvc) started
  3. Remote Access Connection Manager (RasMan) active

To temporarily restore functionality while waiting for a patch:

# Force start dependencies
Start-Service mpssvc
Start-Service RasMan
Set-Service mpssvc -StartupType Automatic
Set-Service RasMan -StartupType Automatic

# Then start main service
Start-Service RemoteAccess

Microsoft released KB4480966 to address this specific issue. The complete resolution steps are:

# 1. Uninstall problematic update
wusa /uninstall /kb:4480116 /quiet /norestart

# 2. Install corrective update
wusa /kb:4480966 /quiet /norestart

# 3. Verify service status
Get-Service RemoteAccess,RasMan,mpssvc | Select Name,Status

For administrators managing multiple servers, here's a verification script:

$vpnServices = @('RemoteAccess','RasMan','mpssvc','BFE')
$results = foreach ($service in $vpnServices) {
    try {
        $svc = Get-Service -Name $service -ErrorAction Stop
        [PSCustomObject]@{
            ServiceName = $service
            Status = $svc.Status
            StartType = $svc.StartType
        }
    }
    catch {
        [PSCustomObject]@{
            ServiceName = $service
            Status = 'NotFound'
            StartType = 'N/A'
        }
    }
}
$results | Format-Table -AutoSize

For environments where updates cannot be immediately applied, modify the service dependencies:

# Backup current configuration
reg export "HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess" RemoteAccess.reg

# Modify dependency list
reg add "HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess" /v DependOnService /t REG_MULTI_SZ /d "RasMan\0Bfe" /f