[German]The security updates for Windows released by Microsoft on January 11, 2022 resulted in IPSec VPN connections no longer working with on-board tools. On January 17 and 18, 2022, Microsoft released special updates to fix this bug as well. Here's a wrap-up with notes on what updates are available for the fixes and what, if any, collateral damage there is.
Advertising
IPSec VPN connection issues
After installing the security updates released on January 11, 2022, numerous users complained that IPSec VPN connections could no longer be established with on-board means under Windows. It didn't matter whether Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) were used (see Windows VPN connections (L2TP over IPSEC) broken after January 2022 update). Microsoft confirmed the problem and wrote:
IP Security (IPSEC) connections which contain a Vendor ID might fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected.
Users who relied on Windows' IPSec VPN connections could no longer reach Cisco Meraki MX appliances, Ubiquiti or Mikrotik and Fortigate gateways, and SonicWall instances. Windows versions were affected as soon as the following security updates were installed.
- KB5009555 (Windows Server 2022)
- KB5009557 (Windows Server 2019)
- KB5009546 (Windows Server 2016)
- KB5009566 (Windows 11)
- KB5009543 (Windows 10 20H2 – 21H2)
- KB5009545 (Windows 10 Enterprise, version 1909)
- KB5009546 (Windows 10 Version 1607)
- KB5009585 (Windows 10 Enterprise 2015 LTSB)
The only remedy was to uninstall the updates in question. VPN solutions like OpenVPN etc. were not affected by this problem.
Out-of-band updates to fix the IPSec VPN problem
In the meantime, Microsoft has released Out-of-band updates that are supposed to fix this IPSec VPN bug. The following updates are available from January 17 / 18, 2022:
- KB5010796: Windows Server 2022
- KB5010793: Windows Server 20H2
- KB5010791: Windows Server, version 2019
- KB5010790: Windows Server 2016
- KB5010795: Windows 11
- KB5010793: Windows 10 Version 20H2- 21H2
- KB5010792: Windows 10 Version 1909
- KB5010790: Windows 10 Version 1607
- KB5010789: Windows 10 Version 1507
For all of the above updates, Microsoft writes the following:
Advertising
Addresses a known issue that can cause IP Security (IPSEC) connections with a vendor ID to fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP Security Internet Key Exchange (IPSEC IKE) may also be affected.
The updates are cumulative, but optional and should really only be found via an update search – but I'm not sure if some of these are not installed automatically. If updates are distributed via WSUS, the packages would have to be downloaded from the Microsoft Update Catalog and imported.
Regarding the WSUS import, however, there are German comments that this does not work. Here I would like to refer to the blog post WSUS: Microsoft Update Catalog Import failure, if there should be problems with the import via Internet Explorer. There the trick is mentioned to change the value 1.20 to 1.80 in the URL. For people who meanwhile use the Chromium Edge browser on Windows, I refer to the blog post How-To: Import OOB Updates in WSUS without IE, but with Microsoft Edge, which outlines the corresponding approach.
Collateral damage with the update?
In my German blog, reader Michael has left the following comment and complains about issues after installing the out-of-band update update KB5010793 under Windows 10 Pro 21H2 (x64).
That's quite bananas, I get with KB5010793 under Windows 10 Pro x64 21h2 indeed again in my VPN/Mikrotik, but instead I can no longer access the administrative mapped network drives (C$,D$) on Windows 2012R2 from the laptop. If I uninstall the update then it works again.
Error connecting from X: with \\ip\c$.
Microsoft Windows Network : The local device name is already in use. The connection could not be established.
The drives are mapped with net use and the switch persistent:yes on the laptop.
Verified 2 times, I install the update again, problem comes, I uninstall it, problem is gone.
Maybe I have to delete the saved maps via Logon Information Management/Windows Logon Information, but this can't be true again, every update only problems I'm so annoyed…..
In a follow-up comment, Michael writes:
There is definitely a problem here. I deleted all saved mappings and credentials, then the normal way – Explorer – This PC – Connect network drive – Connect to other credentials – Save password – after that I can access, however after reboot again the error. The mapping to another server remains. Unfortunately I don't have the time to research this further (already spent 2 hours on it) and I'm throwing the update KB5010793 down again.
Anyone who can confirm this issue? And on reddit.com there is this thread where user Trollw00t writes that IPSec VPN connection does not work for him despite special update KB5010793 (Windows 10 version 20H2 – 21H2).
Note: At ghacks.net there is this comment which states that the update KB5010798 for Windows 7 ESU ends up with the ystem Event Notification service not being accessible afterwards – although the service is running. Uninstalling the update helped. But this is not relevant in the IPSec VPN context, because Microsoft does not mention anything about this bug there.
Similar articles:
Windows Server: Out-of-Band Update fixes Remote Desktop issues (2022/01/04)
Microsoft Office Updates (January 4, 2022)
Microsoft Security Update Summary (January 11, 2022)
Patchday: Windows 8.1/Server 2012 R2 Updates (January 11, 2022), boot loop reported
Patchday: Windows 10 Updates (January 11, 2022)
Patchday: Windows 11 Updates (January 11, 2022)
Patchday: Updates for Windows 7/Server 2008 R2 (January 11, 2022)
Windows Server: January 2022 security updates are causing DC boot loop
Windows VPN connections (L2TP over IPSEC) broken after January 2022 update
Windows Server 2012/R2: January 2022 Update KB5009586 bricks Hyper-V Host
Microsoft patch day issues Jan. 2022: bugs confirmed, but updates not pulled
Microsoft Microsoft Januar 2022 Patchday Revisions (2022/01/14)
Windows Out-of-band Updates fixes Jan. 2022 patch day issues (Jan. 17, 2022)
Windows 10/Server: Out-of-band Updates fixes Jan. 2022 patch day issues (Jan. 17, 2022)
Out-of-band Updates for Windows Server 2019 fixes Jan. 2022 Patch day issues (Jan. 18, 2022)
Windows 7/8.1; Server 2008R2/2012R2: Out-of-band Updates with Fixes for Jan. 2022 Patch day Issues (2022/01/17)
Review: Fix for Windows IPSec VPN Connection Issues
