Microsoft patch day issues Jan. 2022: bugs confirmed, but updates not pulled

Windows[German]The January patch day 2022 (January 11, 2022) brought administrators of Windows Server systems into serious trouble: Hyper-V is bricked, DCs are force into boot loops, ReFS has been removed, IPSec VPN connections are broken, and so on. Microsoft has confirmed some of these issues and is probably also in the process of withdrawing the updates (it has been pulled on Windows Update on Jan. 13th, but are now offered again). Below I try to summarize the current state.


Advertising

Heavy patch day issues

On January 11, 2022, Microsoft did release numerous security updates for Windows, which resulted in severe collateral damage (DC boot loops, VPN connections blocked, ReFS broken, Hyper-V broken). The problems whose consequences were promptly addressed in my blogs (see links at the article end). Microsoft has partially confirmed the issues – and the updates hasn't been offered for a few hours via Windows Update – but now are available again, as blog readers told me. The following is an outline of the current status.

Boot loop with domain controllers

The January 2022 update for Windows Server triggers cyclic reboots on some domain controllers (sometimes at intervals of 15 minutes). The processes lsass.exe or wininit.exe (depending on the Windows Server version) cause an error 0xc00005 (access denied), which then leads to a reboot. Below is a screenshot of a German system telling the user that the computer will be rebootet automatically within a minute.

Boot-Loop bei Windows Server 2019
Boot Loop on Windows Server 2019

I had reported the problems in the blog posts Patchday: Windows 8.1/Server 2012 R2 Updates (January 11, 2022), boot loop reported and Windows Server: January 2022 security updates are causing DC boot loop, and also gave hints there on how to uninstall the affected security updates (if necessary, disconnect the network connection to get enough time to uninstall). Potentially affected are updates for the following server versions:

  • Update KB5009624 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2)
  • Update KB5009595 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2)
  • Update KB5009586 (Monthly Rollup for Windows Server 2012, Windows Embedded 8 Standard)
  • Update KB5009619 (Security Only Quality Update for Windows Server 2012, Windows Embedded 8 Standard)
  • Update KB5009543 (Windows 10 Version 20H2 – 21H2 und Windows Server Version 20H2)
  • Update KB5009545 (Windows 10 Enterprise Version 1909 und Windows Server 2019)
  • Update KB5009557 (Windows 10 Enterprise Version 1909 LTSC und Windows Server 2018)
  • Update KB5009546 (Windows Server 2016)
  • Update KB5009555 (Windows Server 2022) – see also Patchday: Windows 11 Updates (January 11, 2022)

Whether also the updates for Windows Server 2008 R2 SP1:


Advertising

  • Update KB5009610 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1)
  • Update KB5009621 (Security-only update) steht für Windows 7 SP1 und Windows Server

is not known at the moment – I don't have any reader's notes and Microsoft hasn't published anything yet. In the meantime, Microsoft has confirmed the issue for Windows Server 2012 and later within this post in the Windows status dashboard.

After installing KB5009624 on domain controllers (DCs), affected versions of Windows Servers might restart unexpectedly. Note: On Windows Server 2016 and later, you are more likely to be affected when DCs are using Shadow Principals in Enhanced Security Admin Environment (ESAE) or environments with Privileged Identity Management (PIM).

Next steps: We are presently investigating and will provide an update in an upcoming release.

Affected platforms:

  • Client: None
  • Server: Windows Server 2022; Windows Server, version 20H2; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012

Until further information from Microsoft is available, the only option is to not install the update if you are affected.

Hyper-V can't start

Update KB5009624 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) and update KB5009595 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) an cause the Hyper-V host on the affected machine to no longer start. I had reported the issue in the blog post Windows Server 2012/R2: January 2022 Update KB5009586 bricks Hyper-V Host

Microsoft has confirmed this in support posts like for KB5009624, and has published this post in the Windows 8.1 and Windows Server 2012 R2-status dashboard:

After installing KB5009624 on devices using UEFI, virtual machines (VMs) in Hyper-V might fail to start.

Next steps: We are presently investigating and will provide an update in an upcoming release.

Affected platforms:

  • Client: Windows 8.1
  • Server: Windows Server 2012 R2; Windows Server 2012

So the problem is confirmed, and is being investigated, and the fix is supposed to be available in one of the upcoming releases. Currently, the only thing left to do is to uninstall the security update in question. If the Hyper-V of other Windows Server versions is affected, I can't say exactly at the moment. If someone has problems with other Hyper-V versions, he can leave a comment.

ReFS support missing after Windows Server 2012 R2 updates

After installing updates KB5009624 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) and KB5009595 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) support for the ReFS file system is missing. German blog reader Olaf Becker reported the bug in this comment (I've translated his report).

Yet another problem has surfaced.

On all Windows 2012 R2 servers, all ReFs volumes are in RAW format after installation.

The cause seems to be KB5009624. After uninstalling the update and rebooting the server, the disks are back.

German blog reader confirmed within this comment this bug also for Windows Server 2012 (without R2). On reddit.com there is this post, which points out that this may kill Exchange servers (I got confirmation in other comments).

January Updates ReFS became RAW for Database Volumes

Installed these updates tonight, in a two server Exchange 2016 CU22 DAG, running on Server 2012 R2. After a really long reboot, the server came back up with all the ReFS volumes as RAW. NTFS volumes attached were fine. I realize this is not exclusively an exchange question but it is impacting my ability to bring services for Exchange back online.

After further troubleshooting I uninstalled all the updates except the new SU, and now after another long reboot the drives are showing as readable ReFS again! Looking at the status of these database now, it looks like I am going to be doing a re-seed now :(

Anyone have any ideas? dot.net update broke the ability to mount ReFS?

However, the .NET update suspected there is not the cause, but update KB5009624 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2). The only thing left to do is to uninstall the update – although Microsoft has not yet commented on this. 

On Facebook German blog reader Patrick Pa reported me another strange observation about the update KB5009543 for Windows 10 21H2, which I'll just reproduce here translated without further comment. 

I haven't found anything about it on the net yet, but I would like to note a peculiarity about KB5009543 2022-01 CU for Windows 10 21H2.

When I installed that the day before yesterday, suddenly a VHDX mounted over the network that is Bitlocker encrypted started behaving strangely. After some time, the drive was no longer accessible in Windows Explorer.

Usually you see in the computer overview at the drive, the memory usage graphically displayed. This was also no longer there. If you tried to open the drive, the Windows Explorer did not react and the Task Manager could not be started.

The disk management also hung. The Dell Latitude 5510 laptop could not be restarted either. Windows was stuck in "Shutting down". I had to shut down the device hard. The behavior reproduced itself several times. After uninstalling KB5009543 everything runs stable again.

Patrick stopped the distribution of this update in WSUS for now.

IPSec VPN connections broken

I had described this issues in the blog post Windows VPN connections (L2TP over IPSEC) broken after January 2022 update. Due to the January 11, 2022 security updates, VPN connections that use IPSEC are broken. This affects both L2TP and IKEv2 (see this comment), causing problems for many users.

In my blog, there is this comment that L2TP was compromised back in 2015. The user refers to this article where the use of L2TP/IPsec (as of IKEv1 IPSec) was advised against.

The flaw results in VPN connections to Cisco Meraki MX appliances, Ubiquiti or Meraki MX failing, for example. The gateways from Mikrotik and Fortigate as well as SonicWall instances can also no longer be reached.

Microsoft has confirmed this bug, blog reader PeDe has thankfully posted the links to the Windows Health Dashoard in this German comment. A Microsoft post states: 

Certain IPSEC connections might fail

After installing KB5009557, IP Security (IPSEC) connections which contain a Vendor ID might fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected.

Workaround: To mitigate the issue for some VPNs, you can disable Vendor ID within the server-side settings. Note: Not all VPN servers have the option to disable Vendor ID from being used.

Next steps: We are presently investigating and will provide an update in an upcoming release.

Affected platforms:

  • Client: Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 1909; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB
  • Server: Windows Server 2022; Windows Server, version 20H2; Windows Server 2019; Windows Server 2016

This means that Windows 10 and Windows 11 clients, as well as Windows Server 2016 through 2022, are affected. As a workaround, Microsoft suggests disabling the vendor IDs on the VPN server to mitigate the Windows 10 and Windows 11 VPN bug. However, not all VPN servers allow vendor ID disabling.

Windows January 2022 updates withdrawn?

It is unclear whether Microsoft has now withdrawn the updates. Here in the blog there are since yesterday (13.1.2022) numerous references that the updates are no longer offered via Windows Update. 

Windows January 2022 Updates pulled?

The colleagues from Bleeping Computer also report something like this in this tweet. Colleague Lawrence Abrams wrote:

While Microsoft has not officially announced that they pulled the updates, BleepingComputer can confirm we are no longer being offered the Windows Server 2019 KB5009557 update. Admins have told us that the other versions have been pulled as well.

But I'm not sure, if this is true, because I was able to locate the updates still in Microsoft Update Catalog – and the updates are still available in WSUS. This morning (January 14, 2022) I received several user comments within my German blog, reporting, that the updates are now available via Windows Update. Seems we have chaos days in Redmond.

Some bugs partially fixed

But at least the Outlook search bug caused by the December 2021 update (December 2021 security update KB5008212 kills Outlook Search) was fixed with the January 2022 Windows updates. Although this German comment within my blog states that the search only works in cache mode. And the access bug from December 2021 doesn't seem to be completely fixed yet either (see the following links). Some reader told me, that the issue is gone after installing Office updates from January 11, 2022. Others reported still issues in Access working with multi users on UNC paths.

Similar articles:
Windows Server: Out-of-Band Update fixes Remote Desktop issues (2022/01/04)
Microsoft Office Updates (January 4, 2022)
Microsoft Security Update Summary (January 11, 2022)
Patchday: Windows 8.1/Server 2012 R2 Updates (January 11, 2022), boot loop reported
Patchday: Windows 10 Updates (January 11, 2022)
Patchday: Windows 11 Updates (January 11, 2022)
Patchday: Updates for Windows 7/Server 2008 R2 (January 11, 2022)

Windows Server: January 2022 security updates are causing DC boot loop
Windows VPN connections (L2TP over IPSEC) broken after January 2022 update
Windows Server 2012/R2: January 2022 Update KB5009586 bricks Hyper-V Host

Patchday: Microsoft Office December 2021 updates (14.12.2021) causes Access issues
Microsoft confirms issues in all Access versions after December 2021 Update
Status of the access bug after December 2021 update (2022/01/03)
Access Lock Bug: Where the December 2021 Fixes Fail
December 2021 security update KB5008212 kills Outlook Search


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in issue, Security, Update, Windows and tagged , , , , . Bookmark the permalink.

8 Responses to Microsoft patch day issues Jan. 2022: bugs confirmed, but updates not pulled

  1. EP says:

    KB5009557 was still being issued to my Win10 LTSC 2019 v1809 system thru WU as I just did a WU scan on there, guenni

    so it hasn't been fully withdrawn on some systems (maybe just with Windows Server 2019 but not with LTSC 2019)

  2. Lars Lyngby says:

    After updating 4 Exchange Servers all came up after reboot without access to three ReFS drives – with the databases and the logfiles…
    We reached out to Microsoft Support. One day later we were contacted with a workaround: Disable the Hotplug capability in VMWare.
    This article describes how to do it:
    https://kb.vmware.com/s/article/1012225

  3. Kis Pipacs says:

    For me, Windows Server 2006 DC produces restarts, plus it's a virtual machine. As a solution, I restored the previous day's backup, now we're working. I don't want anyone to feel like your DC restarts every minute after an update …

  4. Advertising

  5. John Grisso says:

    Last year a Windows update completely incapacitated my desktop twice. The first time I was able to bring it back after many hours of frustration. The second time I could not bring it back and I took it to the Best Buy Geek Squad. They were able to fix it for a charge of $200. As a result, I lost many features that I had set up. The most recent update did not render my desktop inoperable, but it removed the app icons from my opening screen, and I cannot restore them. I have asked Microsoft to stop the updates, but they will not.
    A few weeks ago, my laptop refused to boot up after a Windows update. I got the following message:
    Your PC needs to be repaired.
    The boot configuration data file is missing some required information.
    File \ BCD Error Code QXC 0000034.
    Press ESC for VEFI Firmware Setting
    I have no idea what that message means but I followed the instruction and pressed ESC without any useful results. I took the PC to the Geek Squad, and they were unable to repair it declaring it a total loss. So now I am out $500 for a new laptop. The Geek Squad confirmed that the problem was a result of a Windows update and stated that they have seen many problems stemming from Windows updates gone wrong.
    Why does Microsoft keep disabling thousands of computers with their updates. With their billions of dollars in cash and thousands of programmers one would think that they could do something about this. How about checking computers to determine if they are compatible to the updates before updating or determining that updates went wrong and repairing the damage. I am 85 years old and I do not need this kind of aggravation. It is criminal what Microsoft is presently doing. I have been using Apple iPhones and iPads for many years with their many OS updates and there has never been a problem. If there are lawyers out there, why don't we a do class action lawsuit against Microsoft.

  6. Richard Duffy says:

    We ran the updates 10 hours ago and bang our WS 2019 primary domain controller rebooted every 10 minutes with the lsass.exe in the event logs as the culprit….

    Once I found the issue (with thanks to this blog and others) I restored the PDC and we are back in business….8 hours of nightmares and outage on our cloud service….thanks Microsoft.

    The updates should still be pulled as it is causing the crash….we downloaded and applied the updates 10 hours ago so they are still up….

    Very ordinary way of handling what is a major flaw by Microsoft IMHO

  7. Luke says:

    whole school down multiple times due to DC being on a VM and these updates killing it every day even though the update is rejected/approved for removal in wsus.. driving everyone at that site insane. unbelievable that microsoft would release such garbage, anyone would think they're trying to push for their Azure Cloud services…

  8. ADIT says:

    KB5009543 on Win10 breaks MS Outlook setup connections to older Exchange servers (2003-2010 seen so far). Users who sign into a PC for the first time (after the updates installed), open Outlook (2007-2013 tested so far) and go through the wizard (everything auto-populates) make it to the last step and then get an error that the Exchange server isn't reachable.

    Users on updated PC's that had their Outlook setup prior to the updates still connect fine.

    I was previously able to uninstall 9543 and setup the new user to connect to Exchange but the option to uninstall it is no longer possible.

    The February update hides 9543 and shows KB5009467 and kb5010342, with a Servicing Stack in between.

  9. Mad Dancer says:

    Hi ADIT, we have same problem too. Our environment is Windows Server 2008 R2 SP1 + Exchange 2010 SP3 CU 32 – all clients are NOT part of a Exchange server domain and are connected with "RPC over HTTP" and server has public SSL certificate from DigiCert. After Windows 10 January 2022 updates (and the latest one from feb.2022 too) brokes connection from ALL versions of MS Outloook (probably) to Exchange 2010. I test Outlook 2003, 2016, 2019 and 2021 with and without office updates, try to disable RPC encryption and cached mode and nothing help, except uninstalling Windows 10 updates. On Server 2008 R2 now we have latest Feb 2022 cumulative update (KB5010404) (was Mar 2021 previously), all standard encryption protocols are enabled. But once KB5009543 or later is installed on Windows 10 client computer, Outlook have problem with connection to Exchange. If have an Outlook profile setup previously, it open Outlook window, but it stil wrote connecting/disconnected at statusbar. Deletion of existing XML config file doesn't help. When we tried creating new Outlook profile (creating profile pass) but it wrote "Cannot start Microsoft Outlook. Cannot open the Outlook window. The set of folders cannot be opened."
    Now I'm trying to monitor Outlook-Exchange communication with Wireshark on server side, it seems to be problem with encrypted comm. protocol, because after few TLS handshake messages, the comm. is reset and restarted and so on (in case of previously created and working Outlook profile – prior Jan 2022 updates of course).

Leave a Reply

Your email address will not be published. Required fields are marked *