Microsoft withdraws update that caused problems with Windows servers

The patches released on Patch Tuesday caused some issues, including creating spontaneous boot loops on servers running Windows Domain Controllers, breaking the Hyper-V server role, and making volumes using ReFS storage unavailable. 

Microsoft removed the Windows Server updates released on Patch Tuesday after users reported that the patches contained bugs that break three features: 

  • They can crash and reboot Windows servers that act as domain controllers.
  • Make Hyper-V unusable. 
  • Prevent the use of ReFS volume systems.

Windows users faced two bad news on the same day in January 2022 when Microsoft released 97 security updates in their monthly Patch Tuesday update, which also caused Windows installations to fail for some users.

Updates

This month’s package includes update KB5009624 for Windows Server 2012 R2, update KB5009557 for Windows Server 2019, and update KB5009555 for Windows Server 2022. All of these updates were found to be buggy.

“Administrators of Windows domain controllers should be careful when installing the January 2022 security updates,” BornCity stated .  

“I have received numerous reports of Windows servers acting as domain controllers not booting after this,” Bourne wrote. “Lsass.exe (or wininit.exe) causes a blue screen with a stop error 0xc0000005. In my estimation, it can hit all versions of Windows Server that act as domain controllers.”

Domain controllers act as servers to process logon security requests for Windows domain computers. Microsoft Hyper-V, a hypervisor built into recent Windows Server updates, can natively manage virtual machines running on Windows x86-64 operating systems.

The third thing that has changed with updates, Resilient File System (ReFS) is a file system designed to protect your data and help it stay safe even when faced with adversity.

Windows Server Issues

The Microsoft support team reported that the issue occurs on all versions of Windows Server that the company supports.

Several Reddit users have reported this issue. One commenter said “It looks like KB5009557 (2019) and KB5009555 (2022) are causing some sort of crash on DCs which then reboot every few minutes.”

Another Reddit member stated on Tuesday that after updating to the recently released Windows updates KB5009543 and KB5008876, he found that they were dropping L2TP VPN connections on new machines.

“Now their L2TP cross-site VPNs (all SonicWall) are not working,” a user stated, highlighting an error message that read “The L2TP connection attempt failed because the security layer detected a processing error during the initial negotiation with the remote computer. ”

On Thursday, in response to reports of issues with the Windows Server January cumulative updates, BleepingComputer reported that Microsoft has removed those updates from Windows Update.

However, as of Thursday afternoon, despite complaints from users having issues with Windows 10 and Windows 11 Cumulative Updates, Microsoft has reportedly not removed the updates.

Earlier reports of problems with the latest version of Windows are mostly exaggerated. In fact, users who don’t have problems are likely to ignore calls for patience while Microsoft works.

Defective patches

How can you convince an organization to quickly patch systems when some patches could cause unexpected downtime for critical infrastructure components, such as directory service controllers?

Experts agree that this poses a security risk. “The log4j difficulties of the past few weeks show that… we need organizations to apply security patches when they are available,” said John Bambenek, head of NetEnrich Threat Hunting. 

Whenever patches don’t serve their purpose, or when they change the way things work, it “provides a counter incentive to patch when organizations take a safe approach to applying updates,” he told Threatpost on Thursday. “Downtime is easily measurable…increased security risk is not, which means that careful (rather than proactive) patching tends to win.”

Bud Broomhead, chief executive officer of Viakoo, said the company’s products allow users to choose between maintaining their business operations and making their systems more secure by exploiting products with known vulnerabilities.

“Organizations make these trade-offs every day with IoT devices that can’t be fixed quickly (or never); however, this is unusual for Windows Server because Windows Update has such efficient mechanisms for quickly delivering and installing fixes.”

Run tests before release

Broomhead cautioned that despite Microsoft’s rigorous testing practices, one of the best ways to prevent problems is to test new updates on a single machine before rolling them out on a large scale.

“This can help Windows Server administrators evaluate their specific issues and their willingness to work in those conditions until a more stable fix is ​​released,” he told Threatpost.

Khorev said that this is closer to reality, but added that “the change will affect all media and platforms.”

“First, it’s very rare that patches are directly applied directly from Microsoft or any vendor on a Tuesday or any other day without first going through a series of tests to make sure they don’t break the system,” he said.

Considering how difficult Windows support can be, even when security updates come straight from Redmond, it’s no surprise that many companies struggle.

“The eternal trade-off between secure and/or stable production environments isn’t just limited to updates coming from Microsoft,” Horev commented.

Were there any issues with recently released updates? Share your thoughts with us in the comments section below.