[German]A quick note for Windows Server 2022 administrators: Be careful when applying the security update KB5011497 from March 8, 2022. I have received a report from an administrator that this update can cause severe problems with remote services. Certain roles are no longer available after installing this update – and this could be verified on several server instances.
Update KB5011497 for Windows Server 2022
I had covered it in the blog post Patchday: Windows 11/Server 2022 updates (March 8, 2022): As of March 8, 2022, Microsoft has released cumulative update KB5011497 for Windows Server 2022. The update raises the OS build to 20348.587 and makes internal, unspecified, security fixes to the operating system.
The Known Issues section of the update support article states that when connecting to devices in an untrusted domain with Remote Desktop, authentication fails when using smart card authentication. However, this does not affect the error described below.
Issues with remote services/roles
German blog reader Sebastian R. just reported via email that he encountered issues with two Windows Server 2022 systems earlier today due to Windows updates released on March 8, 2022. Sebastian works for an IT service provider as an administrator, and his employer runs remote desktop (gateway) infrastructures for its own purposes as well as for customers.
- One VM per customer is used here, providing the roles of Remote Desktop Gateway, Remote Desktop Connection Broker and Web Access for Remote Desktop.
- Two of these systems run Windows Server 2022, all others Windows Server 2019.
After automatically installing the Windows updates (KB5011497, KB5009639 and KB5010523 were installed) after release on these two Windows Server 2022 systems, remote connections through these systems stopped working.
I have not found any KB articles for the latter two updates KB5009639 and KB5010523. These are probably included in the January 2022 update KB5009608 (see here).
Sebastian writes about the error pattern that was noticed quickly after the update installation, that Windows services belonging to the roles mentioned above were missing on the two systems. Specifically, the services below were missing:
- Remote Desktop Connection Broker (see)
- Remote Desktop Management (might be RDS)
So he checked the installed Windows roles and it turned out that the Remote Desktop Connection Broker role is not installed at all, or is detected as no longer installed. The Windows event log for this is not very informative, Sebastian wrote.
Remote Desktop Connection Broker Role broken
The next step was to reinstall the Windows Remote Desktop Connection Broker role. After that, the management of the Remote Desktop structure via UI and Powershell was available again and thus visible. But then Sebastian made the following experience:
Unfortunately, this didn't help us much, because I then used "Get-RDServer" in Powershell to output the status of the systems involved in the RDS infrastructure. The result was that our system had lost the role RDS-GATEWAY. Although the role was installed according to the server manager. Reinstalling the Remote Desktop Gateway role did not change the error pattern.
To avoid spending more time on a possibly unrecoverable system, I restored the VM from a backup before the Windows updates. So I started the backup restore, installed Windows Updates and after the restart the same initial error condition: The role Remote Desktop Connection Broker is completely missing. Before the restart by Windows Updates the above mentioned Windows services were still present.
So the error is reproducible and Sebastian blocked the Windows update from WSUS for the time being. He commented: Maybe the information helps someone else and you want to pick it up in the blog. At this point my thanks to Sebastian – and I have posted now the information her in a timely manner.
Addendum: On Facebook, I have feedback from two administrator groups that there were problems there as well. One confirmed the same problem, another administrator got the following error message in a dialog box:
Remote Desktop Connection
There are no available computers in the pool. Try connecting again, or contact your network administrator.
The person in question wrote:
… hit me today. But what helped was, took server out of domain, back into domain it went.
The roles were not gone. And the server was also present in the AD. But then by removing and re-add everything went again fortunately.
So not quite the error outlined above. I must therefore leave the whole thing here as open – perhaps there are others affected.
See also my new addendum: Windows Server 2022: Fix for Remote Desktop problems with update KB5011497
Microsoft Office Updates (March 1, 2022)
Microsoft Security Update Summary (March 8, 2022)
Patchday: Windows 10-Updates (March 8, 2022)
Patchday: Windows 11/Server 2022-Updates (March 8, 2022)
Windows 7/Server 2008R2; Windows 8.1/Server 2012R2: Updates (March 8, 2022)
Cookies helps to fund this blog: Cookie settings
exactly same problem occured by us – missing rd connection broker role after update
update nightmare still continue this year
We seem to be experiencing exactly the same issue.
Confirming same issue for our two Windows Server 2022 RDS servers.
Had to re-install the RD Gateway roles – (RD Connection Broker/ RD Web access / RD Session host), reconfigure certificates and re-activate licence servers. Then re-publish the RD Apps for both Servers.
Good job we're not live with the O/S version quite yet!
The KB5011497 also break functionalities like Server Manager, Event-viewer and those that relies on some APIs that access the Windows Logs. I've reproduced the bug in a couple of 2022 Server VMs NOT joined to AD. After KB5011497 installation the two VMs show the same problems. At this moment i did not find any workaround. Even the KB uninstall are ineffective, probably due permissions changes or dlls corruption. Only VM snapshot or bare metal backup before KB installation are effective. Very dangerous.
We have the same issue with KB5011497. Server manager and event viewer. Also logging off the server it stalls on shutting down a microsoft search feature.
It also had issues installing vmtools on a newly installed machine.
We've seen this when deploying from template and a completely new installed Server 2022. Right after install and reboot it fails.
On those 2022 that had the February updates om them, it seems to work. So in my opinion something is going wrong if we update to the KB5011497 coming from servers that have not been updated in February. Like my template (updated sometime January) or a completely new ISO install.
Seeing exactly the same issue here with Server 2022 Standard GUI installed from ISO from VLSC. Working as expected until applying KB5011497 then Server Manager and Event Viewer no longer load and restarts hang for awhile on "the Windows Search". Uninstalling KB5011497 does not fix the issues either.
Same thing here. On some new 2022 servers, RDCB and RDSH are affected. Printer serveur ADCS or ADDS looks fine.
Server Manager take a lot of time to load informations, event logs does not work and reboot hang on Windows Search too.
So had a colleague create a case with Microsoft on this.
And the problem is indeed a missing requirement that MS doesn't check for sadly.
So install the february .NET4.8 updates KB5011258 solves it.
and this is why our existing updated 2022 kept running and all new ones failed.
update KB5011258 in Microsoft Update Catalog
No issue today… I did'nt touch anything. I try to reboot, reinstall KB5011497, … it looks fine for now.
Same issue here. However, even after restoring a snapshor from before KB5011497 and applying the .NET KB5011258 update first, things still aren't right. The Gateway role is indeed still present, but the broker role is still gone. Better stay away from KB5011497 until MS fixes it. What a trainwreck once again.
Same problem here by installing the update before, still impossible to restart the broker.
First run a .bat script, which can be found on google, for restoring Windows updates. After that I was able to install the broker service again via Windows Server Manager.
Saw that the folder C:\Windows\rdcbDb was empty, so I restored the databases from the backup.
Then I installed SQL management on the RDS server and connected to: np:\\.\pipe\MICROSOFT##WID\tsql\query
I saw that the RDCms database was in Single User mode. Then ran a query on the database: ALTER DATABASE RDCms SET MULTI_USER and GO
After that, my broker service was again accessible via the RDS.
Tim – How can I connect to the RDS server SQL? I have management installed, but I'm not sure where to proceed to run that command.
When I installed SQL Server Management Studio and open it, you have to login:
Server type: Database Engine
Server name: np:\\.\pipe\MICROSOFT##WID\tsql\query
Authentication: Windows Authentication
Thanks a lot for sharing your solution. With your hint I was able to restore my server also. My steps are as follow:
1. uninstalled Server Role "RD connection broker"
2. installed Server Role "RD connection broker"
3. had a look at database (mine was also empty) = restored database
4. restarted the server and RD works again
i have installed the latest cummulative patches today on Broker and Gateways and the Broker was gone as described above.
I was a bit in hurry and therefore i recreated the collection manually (after installing the Broker role again). Since i have no access to the backup anyhow and early in the morning no one from the infrastructure team was available, this was my best choice. It took me 45min to get it up and running again.
I will bookmark this page , thanks to Tim and Domi
Feedback from a Facebook user: