How do New Window Servers Updates cause DC Boot loops?

How do New Window Servers Updates cause DC Boot loops?

The new Windows Server updates are causing severe problems for administrators, with domain controllers having casual reboots, Hyper-V not starting, and inaccessible ReFS volumes until the updates are rolled back. Recently, Microsoft released the Windows Server 2012 R2 KB5009624 update, the Windows Server 2019 KB50009557 update, and the Windows Server 2011 KB5009555 released as part of the January 2022 Patch Tuesday.

Right after installing these updates, administrators have been battling several problems that are only be solved after removing the updates.

What are Windows Domain Controller Boot Loops?

The most critical problem brought in by these updates is that Windows domain controllers enter a boot loop, with servers getting into an endless cycle of Windows starting and then rebooting after a few minutes. As first reported by BornCity, this issue affects all supported Windows Server versions.

How-do-New-Window-Servers-Updates-cause-DC-Boot-loops-image1

“Looks KB5009557 (2019) and KB5009555 (2022) are causing something to fail on domain controllers, which then keep rebooting every few minutes,” a user posted to Reddit. A Windows Server administrator told our experts that they see the LSASS.exe process use all of the CPU on a server and then ultimately terminate.

As LSASS is a critical process required for Windows to operate correctly, the operating system will automatically restart when the process is terminated. The following error will be logged to the event viewer when restarting due to a crashed LSASS process, as another user on Reddit shared.

“The process wininit.exe has initiated the restart of computer on behalf of user for the following reason: No title for this reason could be found Reason Code: 0x50006 Shutdown Type: restart Comment: The system process ‘C:\WINDOWS\system32\lsass.exe’ terminated unexpectedly with status code -1073741819. The system will now shut down and restart.”

Why Hyper-V no Longer Starts?

Additionally to the boot loops, Xiarch has been told by Windows administrators that after installing the patches, Hyper-V no longer starts on the server. This bug primarily affects Windows Server 2012 R2 server, but other unverified reports say it affects newer versions of Windows Server.

As Hyper-V is not started, when attempting to launch a virtual machine, users will receive an error stating the following:

“Virtual machine xxx could not be started because the hypervisor is not running.”

Microsoft released security updates to fix four different Hyper-V vulnerabilities yesterday (CVE-2022-21901, CVE-2022-21900, CVE-2022-21905, and CVE-2022-21847), which are likely causing this issue.

Why ReFS file systems are no longer accessible?

Finally, numerous admins are reporting that Windows Resilient File System (ReFS) volumes are no longer accessible or are seen as RAW (unformatted) after installing the updates. The Resilient File System (ReFS) is a Microsoft proprietary file system that has been designed for high availability, data recovery, and high performance for very large storage volumes.

“Installed these updates tonight, in a two server Exchange 2016 CU22 DAG, running on Server 2012 R2. After a really long reboot, the server came back up with all the ReFS volumes as RAW,” explained a Microsoft Exchange administrator on Reddit.

“NTFS magnitudes connected were fine. I acknowledge this is not exclusively an exchange question but it is impacting my ability to bring services for Exchange back online.” Uninstalling the Windows Server updates made the ReFS volumes accessible again.

How-do-New-Window-Servers-Updates-cause-DC-Boot-loops-image2

Yesterday, Microsoft fixed seven remote code execution vulnerabilities in ReFS, with one or more likely behind the inapproachable ReFS volumes. These vulnerabilities are tracked as CVE-2022-21961, CVE-2022-21959, CVE-2022-21958, CVE-2022-21960, CVE-2022-21963, CVE-2022-21892, CVE-2022-21962, CVE-2022-21928.

How to resolve this?

Unfortunately, the only way to fix these issues is to uninstall the corresponding cumulative update for your Windows version. Admins can do this by using one of the following commands:

  • Windows Server 2012 R2: wusa /uninstall /kb:KB5009624
  • Windows Server 2019: wusa /uninstall /kb:KB5009557
  • Windows Server 2022: wusa /uninstall /kb:KB5009555

As Microsoft bundles all security fixes into the single update, terminating the incremental update may resolve the bugs, but will also clear all fixes for newly patched exposures. So uninstalling such updates should only be completed if totally essential.

Leave a Reply