Skip to content

Safe Tuesday with SNOK: SAP GUI issue following the Windows update

Today we present a significant issue that may affect many organisations using SAP systems - an unexpected unavailability of the SAP GUI interface…

Today we present a significant issue that may affect many organisations using SAP systems - an unexpected unavailability of the SAP GUI interface following the latest Windows update.

The problem: SAP GUI stops working after the Windows KB5055523 update

In its latest communication (SAP Note 3595651), SAP reports a serious defect affecting the interoperability of SAP GUI for Windows with the recent Windows update (KB5055523). This issue particularly affects users of SAP GUI 800, 32-bit version, who are simultaneously running Crowdstrike software.

Symptoms:

  • SAP GUI does not start at all

  • The interface stops responding after attempting to connect to the SAP system

  • The Windows event log shows errors related to the saplogon.exe process and the ntdll.dll library

Cause:

According to SAP’s analysis, the problem stems from an incompatibility between the Crowdstrike product and the Microsoft KB5055523 update. The Crowdstrike module, which normally integrates with the SAP GUI process (typical for security software), interacts incorrectly with the ntdll.dll library modified by the update. This interaction triggers an exception in ntdll.dll, visible in the Windows event log, and consequently causes SAP GUI to crash.

Why this matters for IT security

This issue illustrates well the intricate dependencies between business-critical systems and security infrastructure. On one hand, organisations need up-to-date Windows systems with the latest security patches; on the other, protective solutions such as Crowdstrike; and on a third, reliable access to SAP systems, which often form the core of business operations.

Balancing these needs becomes a challenge when incompatibilities such as the one described by SAP arise.

Recommended solutions:

SAP suggests two possible workarounds for this issue:

Option 1: Removing the KB5055523 update

Uninstalling the problematic Windows update resolves the issue in most cases. However, it should be noted that this may potentially expose the system to the security vulnerabilities the update was designed to fix.

Option 2: Adjusting the Crowdstrike configuration

An alternative solution is to disable Crowdstrike or configure an exclusion for SAP GUI within the Crowdstrike settings. This approach allows the Windows update to be retained while still enabling SAP GUI to function.

What this may mean for your organisation

If your organisation uses SAP GUI for Windows (particularly the 32-bit version) together with Crowdstrike software, it is worth:

  • Verifying whether the Windows KB5055523 update has been installed in your organisation

  • Checking the Windows event logs for errors related to saplogon.exe

  • Consulting with the teams responsible for IT security and SAP to develop the best approach for your organisation

  • Developing an interim strategy that balances the need for SAP system availability with IT security requirements

  • Monitoring the situation as it develops - SAP has indicated it will update its communication once further information is received from Microsoft (the matter is being investigated under Microsoft incident number MS 2504150040002611)

Managing risk in integrated IT environments

This issue is a classic example of the challenges faced by modern IT departments, where complex software ecosystems must work together harmoniously. It highlights the importance of:

  • Update testing processes before deployment to the production environment

  • A change management strategy that accounts for potential conflicts between systems

  • Contingency plans enabling the rapid restoration of critical business functions

  • A multi-layered approach to security that does not rely on a single solution

Interestingly, SAP notes that the issue does not occur with security products from other vendors, which may be an argument in favour of diversifying security solutions - or at least of thoroughly analysing their impact on key business systems.

Summary

The incompatibility between the Windows KB5055523 update, Crowdstrike software and SAP GUI for Windows serves as a reminder of how fragile the balance between security and functionality in IT systems can be. For IT and security teams, it is an opportunity to revisit update management and compatibility testing processes.

At SNOK, we consistently emphasise that security is not only about deploying the latest tools and updates, but also about understanding the dependencies between systems and skilfully balancing different business priorities.

Tematy: Safe Tuesday IT Advisory & Integration SAP S/4HANA

Get in touch