Woody Leonhard's no-bull news, tips and help for Windows and Office
Home icon Home icon Home icon Email icon RSS icon
  • Security patches KB 3205394, 3206632, 3205386 crash Active Directory Admin Center

    Posted on January 6th, 2017 at 07:32 woody 28 comments

    Reports are spreading.

    InfoWorld Woody on Windows

    So, anybody care to guess how Microsoft will handle this problem? We appear to have three Win10 cumulative updates and four Win7/8.1 monthly patches, all with the same bug. It’s not a big deal, unless you’re using the Active Directory Admin Center (or SCCM).

    I see a few possibilities:

    • “Patch” ADAC (which probably isn’t broken)
    • Post a manual workaround and forget about it
    • Post hotfixes for the Win10 versions, or at least 1607
    • Re-release the Win7 and 8.1 patches

    Let’s see how MS reacts.

    Thanks to Paul and MH.

    If that helped, take a second to support AskWoody on Patreon

    28 Responses to “Security patches KB 3205394, 3206632, 3205386 crash Active Directory Admin Center”

    1. abbodi86 says:

      they will either fix it in the next patch tuesday updates, or later with catalog-only updates

      Win7/8.1 propably will get it in the next “Preview Rollup”

    2. Eric says:

      Let’s see if MS fixes a buggy security-only update with a non security-only patch!

      I’m not holding my breath for a good outcome.

      • Glenda Hewitt says:

        Should we uninstall 3205394 update. W7 Home. Group B

        • woody says:

          Absolutely not.

        • ch100 says:

          Active Directory Admin Center is not in wide use, although it is the current Microsoft recommended method for administering Active Directory. Most administrators prefer to use the classic consoles known since Windows 2000.
          SCCM console breaking may be an issue, but again, this depends on where the management console is installed.
          I think abbodi86 has already provided the answer for the likely methods to fix the current issues.

    3. The Real Allan says:

      Hey Woody,

      I reluctantly installed KB 3205400 for Windows 8.1, mostly based on your approval of it. I haven’t had anything specific happen except occasionally my browser doesn’t load the correct web page, or it does so very slowly.

      Also, I had to re-install the update of an IDE I use because it had reduced functionality. After re-installation, things were back to normal. The hash table wasn’t checked since this was a mostly automatic update.

      I don’t know if this is related to KB 3205400 or not.
      The above quirks happened after I installed the update.

      Glad to see that you are back from vacation. Happy New Year!

    4. b says:

      “admins have a straightforward choice: Use Active Directory Admin Center to edit users/groups, or remove all December security patches.”

      Shouldn’t this read, “DON’T use …, or remove …”?

      • woody says:

        Nope. If they have December patches applied (at least the ones that have already been tracked down and identified as problematic), they can’t use ADAC to edit users or groups. It’ll crash on save. If they want to use ADAC, they have to uninstall the December patches.

        • zero2dash says:

          I didn’t even realize I had ADAC on my workstation (after installing the RSAT’s) but lo and behold, there it is.
          I do have the update (in this case, KB3206632), and it does indeed cause ADAC to crash when trying to make any changes.

          In any event, a workaround is to use AD Users & Computers, which is also included in the RSAT’s and has the same functionality (as far as I can tell) as ADAC, in a more ‘clean’ package. I have no idea why they even came up with ADAC, other than typical Microsoft “reinvent the wheel when the wheel’s not broken” sense. I’m more familiar with ADUC anyway.

          • ch100 says:

            This is what I said in another comment. Most admins do not use ADAC, but ADUC, AD Sites and Services, i.e. the classical tools.

            • ch100 says:

              I think ADAC has only one major feature not found in other tools except for using PowerShell, rarely used and hopefully never needed. It is about restoring deleted Active Directory objects from the Recycle Bin.

        • b says:

          Exactly. So their choice is to NOT use ADAC, *or* remove December patches.

          (Otherwise the first choice means no change!)

    5. ch100 says:

      “Based on the crashing module name, kernelbase.dll, I would point the finger at MS 16-151, the β€œSecurity Update for Windows Kernel-Mode Drivers,” which has become a monthly recurring theme of late.”

      Weren’t the kernel driver updates the very last that were recommended to be installed by Susan Bradley in her newsletter? Now we don’t have the luxury to separate between different patches… so we should delay installing the whole lot, especially when there are unresolved issues.

    6. Brandon says:

      KB3205394 OR KB3207752 were causing a client’s machine not to boot correctly, it would cause the machine to state a hardware or software change has prevent windows from booting correctly and select repair- I would select the repair and then a Window Would appear and state the OS couldn’t be repaired, as soon as I removed these 2 updates the Machine hasn’t had a problem since.

      So I’d definitely would be removing these updates period

    7. John says:

      Hi. Auto update installed KB3206632 and completely screwed my Windows10 64bit system. Programs freeze, CCleaner cannot run on this level of windows and explorer hangs in folders and files. Re-boot only way to recover and ofcourse immediately problem reoccurs.
      Autoupdate installed KB3206632 on 28Dec’16. Uninstalled this update and all was fine until Autoupdate again installed it on 5Jan’17.
      Uninstalled for second time today 8Jan’17 and again problem solved. AutoUpdate service now disabled! Will now update every 3 months on duplicate system – if ok, this will become prod system – switching systems every 3 months if updates ok.
      Hope this info is useful. John

    8. ch100 says:

      One more for your ammunition Woody, Enterprise related though.
      It appears that Windows 2016 and Windows 10 when configured as KMS hosts, after a while reject the activation of Windows 7 KMS clients, considering them non-genuine. I don’t know the cause, but it appears to affect machines which were offline for about 2 weeks or longer, which should not happen. This became obvious after the Christmas & New Year’s break when many people took extended leave. Maybe it happens within Microsoft too, although I am expecting that their employees are not allowed to use Windows 7 any longer. πŸ˜‰
      There is a manual fix for the affected machines by rearming the system (KMS activation does not have a limited number of rearming operations, as the counter is reset each time one such activation takes place). But there is no guarantee that it will not happen again.
      The solution proposed by Microsoft is to use older OS as KMS hosts until there will be a fix available. This may be related to the known crashes of the Windows 2016 Server role Volume Activation Services.

      And Microsoft’s workaround (from the same thread):


      “The recommendation at this point is to leave your existing KMS system alone. Whether it is running on Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2, continue to service the machine via security and quality updates. Allow your KMS system to activate down-level operating systems and Office installs (Windows 7, Windows Server 2008/2008 R2, and Office 2010). Utilize Active Directory Based Activation (ADBA) for all new clients (Windows 8, 8.1, Windows Server 2012, 2012 R2, 2016, Windows 10, Office 2013, and Office 2016).”

    9. Ben says:

      We have the same issue and was not sure of the root cause until I found this article. I removed both 3205394 and 3207752.

    10. Debbie Zanet says:

      We have several techs with AD crashing and they all have KB3205394 installed. Those techs without it are fine. I removed the patch from my computer but it didn’t fix anything. Still crashing when I try to add users to a group. I found a mention of a December patch to Server 2012R2 not sure it is related. Could it be both the server patch and the Win7 patch need to be removed?
      See http://www.infoworld.com/article/3155264/microsoft-windows/december-windows-security-patches-crash-active-directory-admin-center.html

    11. Pacman says:

      I have this happening on a Windows 10 x64 station. Last week I fixed by removing KB3206632. Today Windows update installed KB3197356 and KB3213986 and I am having the same issue. Right now I am switching over to using ADUC which does not have this problem. I prefer ADAC, so hopefully Microsoft fixes this soon. I have reported this at Microsoft too – https://social.technet.microsoft.com/Forums/office/en-US/533a56c7-9412-43d4-a711-18fbe9035786/issues-with-adac-after-installing-december-2016-security-monthly-rollup?forum=winservergen

    Leave a Reply