The security system has detected a downgrade attempt when contacting the 3-part spn

[German]The January patch day 2022 (January 11, 2022) brought administrators of Windows Server systems into serious trouble: Hyper-V is bricked, DCs are force into boot loops, ReFS has been removed, IPSec VPN connections are broken, and so on. Microsoft has confirmed some of these issues and is probably also in the process of withdrawing the updates (it has been pulled on Windows Update on Jan. 13th, but are now offered again). Below I try to summarize the current state.

Heavy patch day issues

On January 11, 2022, Microsoft did release numerous security updates for Windows, which resulted in severe collateral damage (DC boot loops, VPN connections blocked, ReFS broken, Hyper-V broken). The problems whose consequences were promptly addressed in my blogs (see links at the article end). Microsoft has partially confirmed the issues – and the updates hasn't been offered for a few hours via Windows Update – but now are available again, as blog readers told me. The following is an outline of the current status.

Boot loop with domain controllers

The January 2022 update for Windows Server triggers cyclic reboots on some domain controllers (sometimes at intervals of 15 minutes). The processes lsass.exe or wininit.exe (depending on the Windows Server version) cause an error 0xc00005 (access denied), which then leads to a reboot. Below is a screenshot of a German system telling the user that the computer will be rebootet automatically within a minute.

Boot Loop on Windows Server 2019

I had reported the problems in the blog posts Patchday: Windows 8.1/Server 2012 R2 Updates (January 11, 2022), boot loop reported and Windows Server: January 2022 security updates are causing DC boot loop, and also gave hints there on how to uninstall the affected security updates (if necessary, disconnect the network connection to get enough time to uninstall). Potentially affected are updates for the following server versions:

• Update KB5009624 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2)
• Update KB5009595 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2)
• Update KB5009586 (Monthly Rollup for Windows Server 2012, Windows Embedded 8 Standard)
• Update KB5009619 (Security Only Quality Update for Windows Server 2012, Windows Embedded 8 Standard)
• Update KB5009543 (Windows 10 Version 20H2 – 21H2 und Windows Server Version 20H2)
• Update KB5009545 (Windows 10 Enterprise Version 1909 und Windows Server 2019)
• Update KB5009557 (Windows 10 Enterprise Version 1909 LTSC und Windows Server 2018)
• Update KB5009546 (Windows Server 2016)
• Update KB5009555 (Windows Server 2022) – see also Patchday: Windows 11 Updates (January 11, 2022)

Whether also the updates for Windows Server 2008 R2 SP1:

• Update KB5009610 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1)
• Update KB5009621 (Security-only update) steht für Windows 7 SP1 und Windows Server

is not known at the moment – I don't have any reader's notes and Microsoft hasn't published anything yet. In the meantime, Microsoft has confirmed the issue for Windows Server 2012 and later within this post in the Windows status dashboard.

After installing KB5009624 on domain controllers (DCs), affected versions of Windows Servers might restart unexpectedly. Note: On Windows Server 2016 and later, you are more likely to be affected when DCs are using Shadow Principals in Enhanced Security Admin Environment (ESAE) or environments with Privileged Identity Management (PIM).

Next steps: We are presently investigating and will provide an update in an upcoming release.

Affected platforms:

• Client: None
• Server: Windows Server 2022; Windows Server, version 20H2; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012

Until further information from Microsoft is available, the only option is to not install the update if you are affected.

Hyper-V can't start

Update KB5009624 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) and update KB5009595 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) an cause the Hyper-V host on the affected machine to no longer start. I had reported the issue in the blog post Windows Server 2012/R2: January 2022 Update KB5009586 bricks Hyper-V Host. 

Microsoft has confirmed this in support posts like for KB5009624, and has published this post in the Windows 8.1 and Windows Server 2012 R2-status dashboard:

After installing KB5009624 on devices using UEFI, virtual machines (VMs) in Hyper-V might fail to start.

Next steps: We are presently investigating and will provide an update in an upcoming release.

Affected platforms:

• Client: Windows 8.1
• Server: Windows Server 2012 R2; Windows Server 2012

So the problem is confirmed, and is being investigated, and the fix is supposed to be available in one of the upcoming releases. Currently, the only thing left to do is to uninstall the security update in question. If the Hyper-V of other Windows Server versions is affected, I can't say exactly at the moment. If someone has problems with other Hyper-V versions, he can leave a comment.

ReFS support missing after Windows Server 2012 R2 updates

After installing updates KB5009624 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) and KB5009595 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) support for the ReFS file system is missing. German blog reader Olaf Becker reported the bug in this comment (I've translated his report).

Yet another problem has surfaced.

On all Windows 2012 R2 servers, all ReFs volumes are in RAW format after installation.

The cause seems to be KB5009624. After uninstalling the update and rebooting the server, the disks are back.

German blog reader confirmed within this comment this bug also for Windows Server 2012 (without R2). On reddit.com there is this post, which points out that this may kill Exchange servers (I got confirmation in other comments).

January Updates ReFS became RAW for Database Volumes

Installed these updates tonight, in a two server Exchange 2016 CU22 DAG, running on Server 2012 R2. After a really long reboot, the server came back up with all the ReFS volumes as RAW. NTFS volumes attached were fine. I realize this is not exclusively an exchange question but it is impacting my ability to bring services for Exchange back online.

After further troubleshooting I uninstalled all the updates except the new SU, and now after another long reboot the drives are showing as readable ReFS again! Looking at the status of these database now, it looks like I am going to be doing a re-seed now :(

Anyone have any ideas? dot.net update broke the ability to mount ReFS?

However, the .NET update suspected there is not the cause, but update KB5009624 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2). The only thing left to do is to uninstall the update – although Microsoft has not yet commented on this. 

On Facebook German blog reader Patrick Pa reported me another strange observation about the update KB5009543 for Windows 10 21H2, which I'll just reproduce here translated without further comment. 

I haven't found anything about it on the net yet, but I would like to note a peculiarity about KB5009543 2022-01 CU for Windows 10 21H2.

When I installed that the day before yesterday, suddenly a VHDX mounted over the network that is Bitlocker encrypted started behaving strangely. After some time, the drive was no longer accessible in Windows Explorer.

Usually you see in the computer overview at the drive, the memory usage graphically displayed. This was also no longer there. If you tried to open the drive, the Windows Explorer did not react and the Task Manager could not be started.

The disk management also hung. The Dell Latitude 5510 laptop could not be restarted either. Windows was stuck in "Shutting down". I had to shut down the device hard. The behavior reproduced itself several times. After uninstalling KB5009543 everything runs stable again.

Patrick stopped the distribution of this update in WSUS for now.

IPSec VPN connections broken

I had described this issues in the blog post Windows VPN connections (L2TP over IPSEC) broken after January 2022 update. Due to the January 11, 2022 security updates, VPN connections that use IPSEC are broken. This affects both L2TP and IKEv2 (see this comment), causing problems for many users.

In my blog, there is this comment that L2TP was compromised back in 2015. The user refers to this article where the use of L2TP/IPsec (as of IKEv1 IPSec) was advised against.

The flaw results in VPN connections to Cisco Meraki MX appliances, Ubiquiti or Meraki MX failing, for example. The gateways from Mikrotik and Fortigate as well as SonicWall instances can also no longer be reached.

Microsoft has confirmed this bug, blog reader PeDe has thankfully posted the links to the Windows Health Dashoard in this German comment. A Microsoft post states: 

Certain IPSEC connections might fail

After installing KB5009557, IP Security (IPSEC) connections which contain a Vendor ID might fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected.

Workaround: To mitigate the issue for some VPNs, you can disable Vendor ID within the server-side settings. Note: Not all VPN servers have the option to disable Vendor ID from being used.

Next steps: We are presently investigating and will provide an update in an upcoming release.

Affected platforms:

• Client: Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 1909; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB
• Server: Windows Server 2022; Windows Server, version 20H2; Windows Server 2019; Windows Server 2016

This means that Windows 10 and Windows 11 clients, as well as Windows Server 2016 through 2022, are affected. As a workaround, Microsoft suggests disabling the vendor IDs on the VPN server to mitigate the Windows 10 and Windows 11 VPN bug. However, not all VPN servers allow vendor ID disabling.

Windows January 2022 updates withdrawn?

It is unclear whether Microsoft has now withdrawn the updates. Here in the blog there are since yesterday (13.1.2022) numerous references that the updates are no longer offered via Windows Update. 

The colleagues from Bleeping Computer also report something like this in this tweet. Colleague Lawrence Abrams wrote:

While Microsoft has not officially announced that they pulled the updates, BleepingComputer can confirm we are no longer being offered the Windows Server 2019 KB5009557 update. Admins have told us that the other versions have been pulled as well.

But I'm not sure, if this is true, because I was able to locate the updates still in Microsoft Update Catalog – and the updates are still available in WSUS. This morning (January 14, 2022) I received several user comments within my German blog, reporting, that the updates are now available via Windows Update. Seems we have chaos days in Redmond.

Some bugs partially fixed

But at least the Outlook search bug caused by the December 2021 update (December 2021 security update KB5008212 kills Outlook Search) was fixed with the January 2022 Windows updates. Although this German comment within my blog states that the search only works in cache mode. And the access bug from December 2021 doesn't seem to be completely fixed yet either (see the following links). Some reader told me, that the issue is gone after installing Office updates from January 11, 2022. Others reported still issues in Access working with multi users on UNC paths.

Similar articles:
Windows Server: Out-of-Band Update fixes Remote Desktop issues (2022/01/04)
Microsoft Office Updates (January 4, 2022)
Microsoft Security Update Summary (January 11, 2022)
Patchday: Windows 8.1/Server 2012 R2 Updates (January 11, 2022), boot loop reported
Patchday: Windows 10 Updates (January 11, 2022)
Patchday: Windows 11 Updates (January 11, 2022)
Patchday: Updates for Windows 7/Server 2008 R2 (January 11, 2022)

Windows Server: January 2022 security updates are causing DC boot loop
Windows VPN connections (L2TP over IPSEC) broken after January 2022 update
Windows Server 2012/R2: January 2022 Update KB5009586 bricks Hyper-V Host

Patchday: Microsoft Office December 2021 updates (14.12.2021) causes Access issues
Microsoft confirms issues in all Access versions after December 2021 Update
Status of the access bug after December 2021 update (2022/01/03)
Access Lock Bug: Where the December 2021 Fixes Fail
December 2021 security update KB5008212 kills Outlook Search

What is 3 part SPN?

What is Microsoft Windows Ntlmssp detection?

What is Lsasrv service?

What is 0xC000018B?