[German]I'll pull it out separately as a blog post. Administrators of Windows Domain Controllers should be careful about installing the January 2022 security updates. I have now received numerous reports that Windows servers acting as domain controllers will not boot afterwards. Lsass.exe (or wininit.exe) triggers a blue screen with the stop error 0xc0000005. It can hit all Windows Server versions that act as domain controllers, according to my estimation.
January 2022 updates address Active Directory bug
I listed it in the Patchday blog posts linked at the end of the article. In all the security updates for Windows Server (e.g., Update KB5009624 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2)), it states:
Addresses a Windows Server issue in which Active Directory attributes are not written correctly during a Lightweight Directory Access Protocol (LDAP) modify operation with multiple specific attribute changes.
However, something seems to have gone wrong, because the security update can trigger a boot loop on Windows servers that act as domain controllers.
Boot loop on Windows Server DCs
German blog reader John L. contacted me via email back on January 11, 2022, and pointed out a fat problem related to the update. The module lsass.exe, version: 6.3.9600.17415, triggers an error 0xc00005 (access violation) via the library msv1_0.DLL, version: 6.3.9600.20239, so that the server gets into a boot loop.
""Name of the corrupt application: lsass.exe, version: 6.3.9600.17415, timestamp: 0x545042fe
Name of the corrupt module: msv1_0.DLL, version: 6.3.9600.20239, timestamp: 0x61c1a5c8
Exception Code: 0xc0000005
ID of the faulty process: 0x1f4
Start time of the faulty application: 0x01d8072ac5b2c15a
Path of the faulty application: C:\Windows\system32\lsass.exe
Path of the corrupted module: C:\Windows\system32\msv1_0.DLL
Full name of the corrupted package:
Application ID relative to the corrupted package: "".
I had already addressed this in the blog post Patchday: Windows 8.1/Server 2012 R2 Updates (January 11, 2022), boot loop reported, possible boot issues. John had the following advice:
I want to advise against rolling back snapshots, especially on DC's, so as not to provoke USN rollbacks.
Workaround: prevent one of the two DC's from booting, then uninstall today's hotfixes first on one and then on the other DC.
In the comments of my blog post above (and its German counterpart), other blog readers confirm this problem. The workaround is, to uninstall the January 11, 2022 security update.
Tip: To avoid that the DC restarts too quickly during uninstall, just deactivate the network connection (pull the plug or deactivate the network driver).
German blog reader MOM20xx had the boot loop even after uninstalling the update and notes that the security-only update KB5009595 should also be uninstalled on the domain controllers.
Probably affects all versions of Windows Server DCs
German blog reader Simon wrote in this comment that it also affects Windows Server 2016/2019 Domain Controllers too. He then posted the following dump excerpt.
The process wininit.exe has initiated the restart of computer DC on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart.
Faulting application name: lsass.exe, version: 10.0.14393.4704, time stamp: 0x615be0cd
Faulting module name: lsadb.dll, version: 10.0.14393.4886, time stamp: 0x61d5242f
Exception code: 0xc0000005
Fault offset: 0x000000000001be5b
Faulting process id: 0x2a8
Faulting application start time: 0x01d8077b1080a9da
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\lsadb.dll
Report Id: e14067b5-aac7-46a4-9e21-cc45371c522a
Faulting package full name:
Faulting package-relative application ID:
So there wininit.exe triggers the error 0xc0000005 on the domain controller. I also have another feedback on Facebook that update KB5008873 on Windows Server 2019 is causing the restart of the AD controllers (the AD controller is restarted every 15 minutes).
Boot-Loop on Windows Server 2019
If anyone needs some more hints on how to uninstall the update in a Windows PE environment, I'll refer them to How to Remove Updates from Windows Recovery Environment (WinRE).
In addition, I got reports that VMs on Server 2012 R2 Hypervisor do not start anymore. The error message is that the hypervisor is not running: Hypervisor launch failed; The operating systems boot loader failed with error 0xC00000BB. This is probably update KB5009624 for Server 2012 R2 – just as a hint, if there should be problems under Windows Server 2016 – 2019. See also the links below.
And we have reports, that the Windows Server 2012 R2 January 11, 2022 security update removes ReFS support.
Microsoft Office Updates (January 4, 2022)
Microsoft Security Update Summary (January 11, 2022)
Patchday: Windows 8.1/Server 2012 R2 Updates (January 11, 2022), boot loop reported
Patchday: Windows 10 Updates (January 11, 2022)
Patchday: Windows 11 Updates (January 11, 2022)
Patchday: Updates for Windows 7/Server 2008 R2 (January 11, 2022)
Windows Server: January 2022 security updates are causing DC boot loop
Windows VPN connections (L2TP over IPSEC) broken after January 2022 update
Windows Server 2012/R2: January 2022 Update KB5009586 bricks Hyper-V Host
Cookies helps to fund this blog: Cookie settings