When installing updates, there is always the risk of rogue updates; updates that break functionality, unannounced, unexpected and unsettling. Microsoft is currently researching such a possible side-effect with the January 11, 2022 updates on Active Directory Domain Controllers.
About the issue
Domain Controllers may reboot unexpectedly and keep rebooting. Event ID 1000 is triggered right before these reboots citing that lsass.exe had failed with stop error 0xc0000005 (access violation), status code -1073741819 and pointing to msv1_0.dll as the culprit.
The Local Security Authority Subsystem Service (LSASS) is responsible for enforcing the security policy on the system. It verifies users signing in to a Windows or Windows Server, handles password changes, and creates access tokens. It also writes to the Windows Security Log. Forcible termination of lsass.exe will result in a restart of the Domain Controller. The restarts are the actual recovery process, not the problem.
Unconfirmed details and symptoms
At this time, there are a couple of unconfirmed details and symptoms about this issue:
- Domain Controllers running Windows Server 2012 R2, Windows Server 2019 and Windows Server 2022 seem most affected.
- Domain Controllers in environments with Exchange Servers seem most affected.
- Read-only Domain Controllers seem unaffected.
About the updates
The following updates are available for Windows Server installations as part of the January 11, 2022 updates:
- Windows Server 2012: KB5009586
- Windows Server 2012 R2: KB5009624
- Windows Server 2016: KB5009546
- Windows Server 2019: KB5009557
- Windows Server, version 20H2: KB5009543
- Windows Server 2022: KB5009555
Active Directory admins experiencing continually rebooting Domain Controllers share that they have stopped the reboots by disconnecting the network connection and uninstalling the January 11th, 2022 update from these systems. They rebooted the systems and after this reconnected the network connection.
When installing security updates only on Domain Controllers running Windows Server 2012 R2, uninstalling KB5009595 also seems sufficient.
To uninstall these updates, run the following command line:
Windows Server 2012 R2: wusa.exe /uninstall /kb:5009624
Windows Server 2019: wusa.exe /uninstall /kb:5009557
Windows Server 2022: wusa.exe /uninstall /kb:5009555
I’m not a fan of not having critical updates installed, but in this case I feel it may be wise to wait 10 days before installing the January 11th, 2022 updates on Domain Controllers. My experience is that serious problems like the above problem are addressed within that timeframe.
Microsoft pulls new Windows Server updates due to critical bugs
Windows Server: January 2022 security updates are causing DC boot loop
January updates causing unexpected reboots on domain controllers : sysadmin