Microsoft has withdrawn an update that caused problems with Windows servers

The patches released on Patch Tuesday have been causing some problems, including creating spontaneous boot loops on servers running Windows Domain Controllers, breaking the Hyper-V server role, and making volumes using ReFS storage unavailable. 

Microsoft pulled the Windows Server updates it issued on Patch Tuesday after users reported that the patches had bugs that broke three features: 

• They can cause Windows servers that act as domain controllers to crash and reboot in a loop.
• Make Hyper-V unusable. 
• Prevent ReFS volume systems from being used.

Windows users were hit by two pieces of unfortunate news on the same day in January 2022, as Microsoft released 97 security updates in its monthly Patch Tuesday update, which also resulted in broken Windows installations for some users.

Updates

This month’s batch includes the Windows Server 2012 R2 KB5009624 update, the Windows Server 2019 KB5009557 update, and the Windows Server 2022 KB5009555 update. All of these updates have been identified as faulty.

“Administrators of Windows Domain Controllers should be careful about installing the January 2022 security updates,” BornCity stated. 

“I have now received numerous reports that Windows servers acting as domain controllers will not boot afterwards,” Born wrote. “Lsass.exe (or wininit.exe) triggers a blue screen with the stop error 0xc0000005. It can hit all Windows Server versions that act as domain controllers, according to my estimation.”

Domain controllers act as servers to process security log-in requests for Windows domain computers. Microsoft’s Hyper-V, a hypervisor built into the latest updates of Windows Server, can natively manage virtual machines running on x86-64 Windows operating systems.

The third thing that is getting a makeover due to the updates, Resilient File System (ReFS), is a file system that is designed in such a way that it safeguards your data and helps it remain safe even when faced with adversities.

Windows server issues

Microsoft’s Support team has reported that the issue occurs in all versions of Windows Server supported by the company.

Several Reddit users have reported this problem. One commenter said, “Looks like KB5009557 (2019) and KB5009555 (2022) are causing something to fail on domain controllers, which then keep rebooting every few minutes.”

Another Reddit contributor said on Tuesday that, after updating to the recently released Windows updates KB5009543 and KB5008876, he had found that they broke L2TP VPN connections on new machines.

“Now their L2TP VPNs to different sites (All SonicWall’s) are not working,” the user stated, highlighting an error message that read: “The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.”

On Thursday, in response to reports of problems with the January Windows Server cumulative updates, BleepingComputer reported that Microsoft has removed these updates from Windows Update.

As of Thursday afternoon, however, and despite complaints from users who’d experienced problems with the Windows 10 and Windows 11 cumulative updates, Microsoft reportedly hadn’t removed the updates.

Earlier reports of problems with the latest version of Windows are, for the most part, overblown. In fact, users who aren’t having issues can likely ignore the calls to be patient as Microsoft works things through.

Defective patches

How do you convince organizations to patch systems promptly when some patches can cause unexpected downtime on critical infrastructure components such as directory services controllers?

Experts agree that it presents a security hazard. “The log4j difficulties of the past few weeks demonstrate that … we need organizations to apply security patches when they are available,” indicated John Bambenek, NetEnrich’s Threat Hunting Principal. 

Whenever patches do not serve their intended purpose, or when they alter the normal functioning of things, it “provides the counter incentive to patching where organizations take a risk-averse approach to applying updates,” he told Threatpost on Thursday. “Downtime is easily measurable…the incremental risk of a security breach is not, which means cautious (instead of proactive) actions to patching will tend to win out.”

Bud Broomhead, chief executive officer at Viakoo, said the company’s products allow users to make a choice between keeping their business operations going and making their systems more secure by using products with known vulnerabilities.

“Organizations make these tradeoffs every day with IoT devices that fail to get patched quickly (or ever); however, it’s uncommon to see this with Windows Server, because there are such effective mechanisms through Windows Update to deliver and install patches quickly.”

Run tests prior to release

Broomhead warned that despite Microsoft’s rigorous testing practices, one of the best ways to prevent problems is to test new updates on a single machine before applying them on a larger scale.

“This can help Windows Server administrators to assess their specific issues, and their tolerance for running under those conditions until a more stable patch is available,” he told Threatpost.

Horev said that is closer to reality, but added that “all media and platforms will be impacted by the shift.”

“First, very rarely are patches ever directly applied straight from Microsoft, or any vendor, on Tuesday, or any other day, without first going through a series of tests to make sure they aren’t breaking things,” he indicated.

Given how complicated it can be to support Windows, even when security updates come straight from Redmond, it’s no surprise that many companies struggle.

“The eternal compromise between secure and/or stable production environments doesn’t rest just because the updates are coming from Microsoft,” Horev commented.

Have experienced any issues with the recently released updates? Share your thoughts with us in the comment section below.