[German]A German blog reader had already asked in a comment if anyone had noticed a memory leak caused by November 2022 updates to Windows Server 2016. I was about to write a separate blog post asking for that, but Microsoft just beat me to it and confirmed a memory leak in LSASS caused by the November 8, 2022 security updates in various Windows Server versions. The problem can be mitigated with a workaround.
A user report
Marcel, a German blog reader, left recently this comment asking if other administrators were experiencing the same issues after installing the November 2022 update described here by a user in the Techcommunity post dated November 18, 2022.
Does someone has identified a memory leak caused by lsass.exe process (attach to services : netlogon, KDC, Active Directory, etc.) on Windows Server 2016 with domain controllers role since the KB5019964 installation?
I have some domain controllers on W2k16 with latest November CU patch and they all have a memory leak caused by the lsass.exe process.
The other domain controllers which doesn't have the November CU installed don't have this memory leak.
I'm currently installing the OOB patch to see if it fix this memory leak.
EDIT 23/11/2022: The OOB patch didn't fix the memory leak on lsass.exe process so we proceed to uninstall the November CU KB5019964 and OOB KB5021664 on our Windows Server 2016 Domain Controllers.
So, the administrator in question has detected a memory leak caused by the November 2022 update KB5019964 on his domain controllers. The November 17, 2022 out-of-band update to fix the Kerberos authentication issues does not fix this memory leak. However, there was no other feedback here on the blog in response to Marcel's report.
Microsoft confirms LSASS memory leak
Microsoft has posted a new entry Possible memory leak in Local Security Authority Subsystem Service (LSASS,exe) on the Release Health pages of various Windows Server versions as of November 23, 2022, confirming the memory leak in Local Security Authority Subsystem Service (LSASS.exe). Affected are the following server versions:
- Windows Server 2019: Update KB5019966
- Windows Server 2016: Update KB5019964
- Windows Server 2012 R2: Update KB5020023, Update KB5020010
- Windows Server 2012: Update KB5020009, Update KB5020003
- Windows Server 2008 R2 SP1: Update KB5020000, Update KB5020013
- Windows Server 2008 SP2; OOB-Update KB5021657
if the aforementioned Nov. 8 security updates or the Nov. 17-18, 2022 out-of-band updates (see Out-of-band updates fixes Kerberos authentication issues on DCs (Nov. 17, 2022)) have been installed. Microsoft writes about this:
After installing the update [the KB number depends on the server version] or subsequent updates on domain controllers (DCs), you may experience a memory leak in the Local Security Authority Subsystem Service (LSASS,exe).
Depending on the workload of your DCs and the time that has elapsed since the server was last restarted, LSASS may continuously increase memory usage as your server is up and running, and the server may stop responding or restart automatically.
Note: The out-of-band updates for DCs released on November 17, 2022 and November 18, 2022 might be affected by this issue.
I pulled out the Nov 8, 2022 update numbers above – the Nov 17/18, 2022 out-of-band updates are referenced in Out-of-band updates fixes Kerberos authentication issues on DCs (Nov. 17, 2022).
In the support article Possible memory leak in Local Security Authority Subsystem Service (LSASS,exe) Microsoft proposes opening an administrative prompt (Run as administrator) and entering a registry key using the following command:
reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD
SOnce this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting, depending on what your environment allows. It is recommended that you enable enforcement mode as soon as your environment is ready. For more information on this registry key, see KKB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967. Micrsoft is working on a fix and plans to provide an update in one of the next releases.
Patchday: Windows 10-Updates (November 8, 2022)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (November 8, 2022)
Windows 10 20H2-22H2 Preview Update KB5020030 (Nov. 15, 2022)
Windows 11 21H2: Preview-Update KB5019157 (Nov. 15, 2022)
Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol – causing issues
Microsoft confirms Kerberos authentication issues after Nov. 2022 updates
Out-of-band updates fixes Kerberos authentication issues on DCs (Nov. 17, 2022)
Cookies helps to fund this blog: Cookie settings