{"id":22931,"date":"2022-01-12T11:08:23","date_gmt":"2022-01-12T10:08:23","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=22931"},"modified":"2022-01-13T18:34:55","modified_gmt":"2022-01-13T17:34:55","slug":"windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/01\/12\/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife\/","title":{"rendered":"Windows Server: January 2022 security updates are causing DC boot loop"},"content":{"rendered":"

\"Windows\"[German<\/a>]I'll pull it out separately as a blog post. Administrators of Windows Domain Controllers should be careful about installing the January 2022 security updates. I have now received numerous reports that Windows servers acting as domain controllers will not boot afterwards. Lsass.exe (or wininit.exe) triggers a blue screen with the stop error 0xc0000005. It can hit all Windows Server versions that act as domain controllers, according to my estimation.<\/p>\n

<\/p>\n

January 2022 updates address Active Directory bug<\/h2>\n

\"\"I listed it in the Patchday blog posts linked at the end of the article. In all the security updates for Windows Server (e.g., Update KB5009624<\/a> (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2)), it states:<\/p>\n

Addresses a Windows Server issue in which Active Directory attributes are not written correctly during a Lightweight Directory Access Protocol (LDAP) modify operation with multiple specific attribute changes.<\/p><\/blockquote>\n

However, something seems to have gone wrong, because the security update can trigger a boot loop on Windows servers that act as domain controllers.<\/p>\n

Boot loop on Windows Server DCs<\/h2>\n

German blog reader John L. contacted me via email back on January 11, 2022, and pointed out a fat problem related to the update. The module lsass.exe, version: 6.3.9600.17415, triggers an error 0xc00005 (access violation) via the library msv1_0.DLL, version: 6.3.9600.20239, so that the server gets into a boot loop.<\/p>\n

\"\"Name of the corrupt application: lsass.exe, version: 6.3.9600.17415, timestamp: 0x545042fe
\nName of the corrupt module: msv1_0.DLL, version: 6.3.9600.20239, timestamp: 0x61c1a5c8
\nException Code: 0xc0000005
\nFehleroffset: 0x0000000000002663
\nID of the faulty process: 0x1f4
\nStart time of the faulty application: 0x01d8072ac5b2c15a
\nPath of the faulty application: C:\\Windows\\system32\\lsass.exe
\nPath of the corrupted module: C:\\Windows\\system32\\msv1_0.DLL
\nBerichtskennung: afc36fda-7320-11ec-813a-00155d012601
\nFull name of the corrupted package:
\nApplication ID relative to the corrupted package: \"\".<\/p><\/blockquote>\n

I had already addressed this in the blog post Patchday: Windows 8.1\/Server 2012 R2 Updates (January 11, 2022), boot loop reported<\/a>, possible boot issues. John had the following advice:<\/p>\n

I want to advise against rolling back snapshots, especially on DC's, so as not to provoke USN rollbacks.<\/p>\n

Workaround: prevent one of the two DC's from booting, then uninstall today's hotfixes first on one and then on the other DC.<\/p><\/blockquote>\n

In the comments of my blog post above (and its German counterpart), other blog readers confirm this problem. The workaround is, to uninstall the January 11, 2022 security update.<\/p>\n

Tip:<\/strong> To avoid that the DC restarts too quickly during uninstall, just deactivate the network connection (pull the plug or deactivate the network driver).<\/p><\/blockquote>\n

German blog reader MOM20xx had the boot loop even after uninstalling the update and notes<\/a> that the security-only update KB5009595 should also be uninstalled on the domain controllers.<\/p>\n

Probably affects all versions of Windows Server DCs<\/h2>\n

German blog reader Simon wrote in this comment<\/a> that it also affects Windows Server 2016\/2019 Domain Controllers too. He then posted the following dump excerpt.<\/p>\n

The process wininit.exe has initiated the restart of computer DC on behalf of user for the following reason: No title for this reason could be found
\nReason Code: 0x50006
\nShutdown Type: restart
\nComment: The system process 'C:\\Windows\\system32\\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart.<\/p>\n

Faulting application name: lsass.exe, version: 10.0.14393.4704, time stamp: 0x615be0cd
\nFaulting module name: lsadb.dll, version: 10.0.14393.4886, time stamp: 0x61d5242f
\nException code: 0xc0000005
\nFault offset: 0x000000000001be5b
\nFaulting process id: 0x2a8
\nFaulting application start time: 0x01d8077b1080a9da
\nFaulting application path: C:\\Windows\\system32\\lsass.exe
\nFaulting module path: C:\\Windows\\system32\\lsadb.dll
\nReport Id: e14067b5-aac7-46a4-9e21-cc45371c522a
\nFaulting package full name:
\nFaulting package-relative application ID:<\/p><\/blockquote>\n

So there wininit.exe<\/em> triggers the error 0xc0000005 on the domain controller. I also have another feedback on Facebook that update KB5008873 on Windows Server 2019 is causing the restart of the AD controllers (the AD controller is restarted every 15 minutes).<\/p>\n

\"Boot-Loop
\nBoot-Loop on Windows Server 2019<\/p>\n

If anyone needs some more hints on how to uninstall the update in a Windows PE environment, I'll refer them to How to Remove Updates from Windows Recovery Environment (WinRE)<\/a>.<\/p>\n

Note:<\/strong> According to this German comment<\/a>, update KB5009543 causes problems with L2TP VPNs. On reddit.com there is this thread<\/a> about it. See also the links below.<\/p>\n

In addition, I got reports<\/a> that VMs on Server 2012 R2 Hypervisor do not start anymore. The error message is that the hypervisor is not running: Hypervisor launch failed; The operating systems boot loader failed with error 0xC00000BB. This is probably update KB5009624 for Server 2012 R2 – just as a hint, if there should be problems under Windows Server 2016 – 2019. See also the links below.<\/p>\n

And we have reports, that the Windows Server 2012 R2 January 11, 2022 security update removes ReFS support.<\/p><\/blockquote>\n

Similar articles:
\n<\/strong>Microsoft Office Updates (January 4, 2022)<\/a>
\nMicrosoft Security Update Summary (January 11, 2022)<\/a>
\nPatchday: Windows 8.1\/Server 2012 R2 Updates (January 11, 2022), boot loop reported<\/a>
\nPatchday: Windows 10 Updates (January 11, 2022)<\/a>
\nPatchday: Windows 11 Updates (January 11, 2022)<\/a>
\nPatchday: Updates for Windows 7\/Server 2008 R2 (January 11, 2022)<\/a><\/p>\n

Windows Server: January 2022 security updates are causing DC boot loop<\/a>
\nWindows VPN connections (L2TP over IPSEC) broken after January 2022 update<\/a>
\nWindows Server 2012\/R2: January 2022 Update KB5009586 bricks Hyper-V Host<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]I'll pull it out separately as a blog post. Administrators of Windows Domain Controllers should be careful about installing the January 2022 security updates. I have now received numerous reports that Windows servers acting as domain controllers will not boot … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,1547,22,2],"tags":[47,2700,69,195,159],"class_list":["post-22931","post","type-post","status-publish","format-standard","hentry","category-issue","category-software","category-update","category-windows","tag-issue","tag-patchday-1-2022","tag-security","tag-update","tag-windows-server"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/22931","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=22931"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/22931\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=22931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=22931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=22931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}