The security system has detected a downgrade attempt when contacting the 3-part spn
[German]The January patch day 2022 (January 11, 2022) brought administrators of Windows Server systems into serious trouble: Hyper-V is bricked, DCs are force into boot loops, ReFS has been removed, IPSec VPN connections
are broken, and so on. Microsoft has confirmed some of these issues and is probably also in the process of withdrawing the updates (it has been pulled on Windows Update on Jan. 13th, but are now offered again). Below I try to summarize the current state.
Show
Heavy patch day issuesOn January 11, 2022, Microsoft did release numerous security updates for Windows, which resulted in severe collateral damage (DC boot loops, VPN connections blocked, ReFS broken, Hyper-V broken). The problems whose consequences were promptly addressed in my blogs (see links at the article end). Microsoft has partially confirmed the issues – and the updates hasn't been offered for a few hours via Windows Update – but now are available again, as blog readers told me. The following is an outline of the current status. Boot loop with domain controllersThe January 2022 update for Windows Server triggers cyclic reboots on some domain controllers (sometimes at intervals of 15 minutes). The processes lsass.exe or wininit.exe (depending on the Windows Server version) cause an error 0xc00005 (access denied), which then leads to a reboot. Below is a screenshot of a German system telling the user that the computer will be rebootet automatically within a minute. Boot Loop on Windows Server 2019 I had reported the problems in the blog posts Patchday: Windows 8.1/Server 2012 R2 Updates (January 11, 2022), boot loop reported and Windows Server: January 2022 security updates are causing DC boot loop, and also gave hints there on how to uninstall the affected security updates (if necessary, disconnect the network connection to get enough time to uninstall). Potentially affected are updates for the following server versions:
Whether also the updates for Windows Server 2008 R2 SP1:
is not known at the moment – I don't have any reader's notes and Microsoft hasn't published anything yet. In the meantime, Microsoft has confirmed the issue for Windows Server 2012 and later within this post in the Windows status dashboard.
Until further information from Microsoft is available, the only option is to not install the update if you are affected. Hyper-V can't startUpdate KB5009624 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) and update KB5009595 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) an cause the Hyper-V host on the affected machine to no longer start. I had reported the issue in the blog post Windows Server 2012/R2: January 2022 Update KB5009586 bricks Hyper-V Host. Microsoft has confirmed this in support posts like for KB5009624, and has published this post in the Windows 8.1 and Windows Server 2012 R2-status dashboard:
So the problem is confirmed, and is being investigated, and the fix is supposed to be available in one of the upcoming releases. Currently, the only thing left to do is to uninstall the security update in question. If the Hyper-V of other Windows Server versions is affected, I can't say exactly at the moment. If someone has problems with other Hyper-V versions, he can leave a comment. ReFS support missing after Windows Server 2012 R2 updatesAfter installing updates KB5009624 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) and KB5009595 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) support for the ReFS file system is missing. German blog reader Olaf Becker reported the bug in this comment (I've translated his report).
German blog reader confirmed within this comment this bug also for Windows Server 2012 (without R2). On reddit.com there is this post, which points out that this may kill Exchange servers (I got confirmation in other comments).
However, the .NET update suspected there is not the cause, but update KB5009624 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2). The only thing left to do is to uninstall the update – although Microsoft has not yet commented on this. On Facebook German blog reader Patrick Pa reported me another strange observation about the update KB5009543 for Windows 10 21H2, which I'll just reproduce here translated without further comment.
Patrick stopped the distribution of this update in WSUS for now. IPSec VPN connections brokenI had described this issues in the blog post Windows VPN connections (L2TP over IPSEC) broken after January 2022 update. Due to the January 11, 2022 security updates, VPN connections that use IPSEC are broken. This affects both L2TP and IKEv2 (see this comment), causing problems for many users.
The flaw results in VPN connections to Cisco Meraki MX appliances, Ubiquiti or Meraki MX failing, for example. The gateways from Mikrotik and Fortigate as well as SonicWall instances can also no longer be reached. Microsoft has confirmed this bug, blog reader PeDe has thankfully posted the links to the Windows Health Dashoard in this German comment. A Microsoft post states:
This means that Windows 10 and Windows 11 clients, as well as Windows Server 2016 through 2022, are affected. As a workaround, Microsoft suggests disabling the vendor IDs on the VPN server to mitigate the Windows 10 and Windows 11 VPN bug. However, not all VPN servers allow vendor ID disabling. Windows January 2022 updates withdrawn?It is unclear whether Microsoft has now withdrawn the updates. Here in the blog there are since yesterday (13.1.2022) numerous references that the updates are no longer offered via Windows Update. The colleagues from Bleeping Computer also report something like this in this tweet. Colleague Lawrence Abrams wrote:
But I'm not sure, if this is true, because I was able to locate the updates still in Microsoft Update Catalog – and the updates are still available in WSUS. This morning (January 14, 2022) I received several user comments within my German blog, reporting, that the updates are now available via Windows Update. Seems we have chaos days in Redmond. Some bugs partially fixedBut at least the Outlook search bug caused by the December 2021 update (December 2021 security update KB5008212 kills Outlook Search) was fixed with the January 2022 Windows updates. Although this German comment within my blog states that the search only works in cache mode. And the access bug from December 2021 doesn't seem to be completely fixed yet either (see the following links). Some reader told me, that the issue is gone after installing Office updates from January 11, 2022. Others reported still issues in Access working with multi users on UNC paths. Similar articles: Windows Server: January 2022 security updates are causing DC boot loop Patchday: Microsoft Office December 2021 updates (14.12.2021) causes Access
issues What is 3 part SPN?An SPN (2) consists of either two parts or three parts, each separated by a forward slash ("/"). The first part is the service class, the second part is the host name, and the third part (if present) is the service name.
What is Microsoft Windows Ntlmssp detection?Windows NT LAN Manager (NTLM) protocol used for Client-Server authentication and NTLM Security Support Provider (NTLMSSP) allows negotiation of challenge-response authentication. NTLM is mostly used for backward compatibility and was replaced by Kerberos.
What is Lsasrv service?The Local Security Authority service (Lsasrv—%SystemRoot%\System32\Lsasrv. dll), a library that LSASS loads, implements most of this functionality. LSASS policy database A database that contains the local system security policy settings.
What is 0xC000018B?For example, the error 0xC0000022 means the computer account's password is invalid, while the error 0xC000018B means the computer account has been deleted, and so on.
|