Windows Server: April 2024 Update KB5036909 causes also LSASS crashes on DCs

Windows[German]Another addendum from the April 2024 patchday. The updates not only cause problems with NTLM connections to Windows Server. There are also reports that the KB5036909 update can also lead to LSASS crashes on domain controllers (DCs). In any case, Microsoft has published corresponding information on its Windows Release Health pages.


I recently reported within the blog post Windows Server: April 2024 updates causes NTLM traffic issues about issues with NTLM authentication. But apparently that's not all. I came across another problem via the following tweet from

April 2024 Update causing LSASS crash on DCs

Microsoft has updated the article NTLM traffic issue after installing the April 2024 security update on the Windows Health status page of Windows Server 2022 as of May 3, 2024. Previously, administrators could see a significant increase in NTLM authentication traffic on domain controllers (DCs) after installing the April 2024 security update (KB5036909).

In a note, Microsoft writes that in rare cases, the Local Security Authority Subsystem Service (LSASS) may crash on Windows servers with the Domain Controller (DC) role, requiring a restart. However, this rings a bell, because in March 2024 there was exactly this problem in connection with the security updates. I reported in the blog post Windows Server: March 2024 update causes LSASS memory leak on DCs on this.

The cause was a memory leak, which on DCs led to the server having to restart or be restarted due to a lack of memory. This problem was resolved with special updates that had to be installed manually by administrators. There are indications that the problem will continue with the April 2024 updates. Microsoft currently has no solution to the problem


No official workaround

The only way to fix the problem as an affected user is to uninstall the cumulative update and block the installation of this and all subsequent updates. To uninstall the last cumulative update (LCU), the command line option;

DISM/Remove-Package xxxx

with the name (xxx) of the update as an argument. The package name can be changed with the command:

DISM /online /get-packages

command. On managed systems, the update must then be blocked for further installation.

Cookies helps to fund this blog: Cookie settings

This entry was posted in issue, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *