[German]In Windows 10 20H2 (and 2004), the Local Security Authority Subsystem Service (lsass.exe) crashes for some users in certain constellations (mostly after upgrading from Windows 7). Now Microsoft has published details about this bug and the reason for the crashes.
What exactly is the lsass.exe crash issue?
German blog reader Roman contacted me in the blog about problems with group management under Windows 10 20H2. Roman suffers from crashes of Lsass.exe (the Local Security Authority Subsystem Service) on his system. Roman wrote:
Now there is a new error in the 20H2 update. lsass.exe crashes e.g. in the computer management when you want to list the groups, but also in many other constellations.
But with a different error number than in June. This time it is the error c0000374. But with Powershell you can display all groups and also change memberships.
I did some research and found other users who could confirm this behavior. It turned out that the bug is probably more common on systems that have been updated from Windows 7 to Windows 10 20H2. A new installation of Windows 10 20H2 solved the issue (see my blog post Windows 10 20H2: lsass.exe crashes (Oct. 2020) and the related comments for details).
From my English speaking blog readers there were two cryptic hints. Blog reader Seth asked in this comment Did you have the guest account renamed with GP on any of the affected systems prior to updating to 20H2? And blog reader Hans Verduyck wrote in this comment:
eventtrac Replied on November 5, 2020
LSASS crashes on 20H2 devices if built-in accounts in the local SAM account database were renamed on the OS being in-place upgraded to 20H2.
I couldn't do much with that, but the two pieces of the puzzle fell into place. I had also escalated the problem via the US Microsoft Answers forum to all Microsoft moderators and asked them to forward it to the developers. In addition, the Microsoft social media teams responsible for updates and Windows IT-Pro functions had been alerted by me via Twitter to the English-language blog post.
Microsoft discloses details of the lsass.exe problem
With the feedback of blog reader Hans Verduyck I got further and found a Microsoft support post After updating to Windows 10, version 20H2, you might receive an error when accessing the sign-in options or users MMC snap-in, which explains the whole problem. There Microsoft writes:
After upgrading to Windows 10, version 20H2, you might receive the error in LSASS.exe with the text "Your PC will automatically restart in one minute" when interacting with any dialog window that lists users, for example accessing the sign-in options settings app page or the users folder in the Local user and groups MMC snap-in. This issue only affects devices in which any of the local built-in accounts have been renamed, such as Administrator or Guest. You might also receive an error in the Application Event log with Event ID 1015 that LSASS.EXE failed with status code C0000374.
Exactly the error scenario I have prepared in my blog post above. But there is a hint that the cause is a renaming of the Build-In user accounts (can only be Administrator and Guest).
Microsoft sets Upgrade holds
To improve the update experience for users, Microsoft has defined a compatibility upgrade blocker for affected machines that limits upgrades to machines running Windows 10 version 2004 or Windows 10 version 20H2. Anyone attempting to upgrade such machines to Windows 10 version 2004 or Windows 10 version 20H2 will receive the following message:
This PC cannot be upgraded to Windows 10. Your PC settings are not yet supported on this version of Windows 10. Windows Update will automatically offer you this version of Windows 10 if these settings are supported.
The screenshot above shows the English language message that Microsoft published in the support article. Microsoft is working on a solution for this problem and will release an update with a fix in one of the coming weeks. In the coming weeks the Microsoft developers also want to provide updated bundles and refreshed media to prevent the problem.
But there is a workaround
Microsoft also advises against attempting to manually update Windows using the Update Now button or forcibly update and wait until the above fix is available and installed using the Media Creation Tool (MCT). If the system has already been updated and the bug occurs, Microsoft recommends that you roll back to the previous version of Windows.
The workaround I suggest for users who want or need to upgrade to the new Windows 10 version: Do not upgrade, but instead perform a fresh installation of Windows 10 2004 or 20H2. Then the error will not occur according to my information so far (no build-in account names have been renamed yet). A so-called in-place upgrade as a repair installation should not help because it cannot change the original problem (renamed accounts). .
Note: I've learned, that renaming build-in accounts is a common security measurement in enterprise systems.
Cookies helps to fund this blog: Cookie settings