Microsoft: April Windows Server updates also cause crashes, reboots

Microsoft has confirmed that last month's Windows Server security updates may also cause domain controller reboots after the Local Security Authority Subsystem Service (LSASS) process crashes.

LSASS is a Windows service that handles security policies, user logins, access token creation, and password changes.

The list of impacted Windows versions and buggy security updates includes Windows Server 2022 (KB5036909), Windows Server 2019 (KB5036896), Windows Server 2016 (KB5036899), Windows Server 2012 R2 (KB5036960), Windows Server 2012 (KB5036969), Windows Server 2008 R2 (KB5036967), and Windows Server 2008 (KB5036932).

"In rare instances, Windows Servers running the Domain Controller (DC) role might experience Local Security Authority Subsystem Service (LSASS) crashes resulting in a reboot," Microsoft explains in a new update added to the Windows release health dashboard.

Microsoft released emergency out-of-band (OOB) updates to resolve other Windows Server crash issues caused by LSASS memory leaks after installing the March 2024 Windows Server security updates.

The company addressed other LSASS crash issues in December 2022 and March 2022 after widespread admin reports of domain controller reboots.

NTLM auth failures and VPN issues

As previously acknowledged by Microsoft, the April 2024 Windows security updates are also causing NTLM authentication failures and high load on impacted domain controllers.

Additionally, users across client and server Windows platforms are also being impacted by VPN connection failures.

While Redmond has yet to provide information on the root cause and is still working on a fix, small and large enterprise customers are advised to reach out through the "Support for Business" portal and home users to use the Windows Get Help app if they need support.

Currently, there is no official workaround on affected systems until Microsoft releases a fix. However, you can still temporarily fix these known issues by uninstalling the security problematic updates.

"To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages," Microsoft says.

However, it's also important to note that Redmond also includes security fixes in the Patch Tuesday cumulative update; hence, removing the April 2024 updates to resolve the domain controller, NTLM, and VPN issues will also wipe all fixes for patched security vulnerabilities.