MS-DEFCON 3: Side effect with Domain patch

Topic

New Reply

Special alert By Susan Bradley November Domain controller update leads to memory leak Business patchers only:  Microsoft has posted up a known side ef
[See the full post at: MS-DEFCON 3: Side effect with Domain patch]

Susan Bradley Patch Lady

2 users thanked author for this post.

NetDef, abbodi86

Reply | Quote

Replies

By business patcher do you mean windows servers patchers?

Reply | Quote

Specifically just the domain controller role.

Susan Bradley Patch Lady

Reply | Quote

I removed KB5019964 as suggested, restarted, but now it seems to be stuck at 100% finishing the removal. Can’t log in. Has been over an hour. (All functions seem to be working.) Ideas?

Reply | Quote

I’d just let it sit.  I’ve had them take longer than that.

Susan Bradley Patch Lady

Reply | Quote

Just checking on you, did it finally finish?

Susan Bradley Patch Lady

Reply | Quote

That’s normal. When uninstalling, the progress is not well measured as when installing an update.

Reply | Quote

Thanks for the heads-up. I’m going the regedit route on four DCs to which I applied November updates and OOB fixes in the past week. Notes:

• Two Server 2016 machines show lsass.exe using about 72K of memory on each machine. The registry key did not exist on either. Adding.
• Two Server 2012R2 machines shows lasss.exe using 100K and 161K of memory. The registry key did not exist on either. Adding.

I don’t see any reboot requirement for applying this fix?

Reply | Quote

I did not see any either.

Susan Bradley Patch Lady

1 user thanked author for this post.

mcbsys

Reply | Quote

Hi all, quite an unusual subkey for service param’s – I’d expect them to go to …\KDC\Parameters… but all docs I found so far are pointing to …\KDC . Is there a way to check if the setting of ‘zero’ successfully triggered the deactivation of the new bug – oops, sorry – feature?

Also, I do not understand M$ trend to force such changes at a certain point in time without leaving the option to deactivate it. What if a company has a hard dependency on it to stay turned of to still be able to keep their environment running?

BfN, -k

Reply | Quote

On Pro and Server editions you have the option on gpedit.msc or Group Policies to set Windows Update to download but not to install until you tell it to. That’s how I’m set on my PC and critical servers so that when I’m ready I install them.

On Windows 10 Pro, run gpedit.msc. Then Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. Then find Configure Automatic Updates. Set it to Enabled, set Configure automatic updating to 3 – Auto download and notify to install and uncheck install during automatic maintenance. If an OOB must be installed, go to Windows Update Catalog, download the required MSU and run it instead of clicking install on Windows Update.

Reply | Quote

This is enforcing better Kerberos to ensure that attackers can’t gain access to a domain.  We complain that Microsoft isn’t doing enough to protect us from ransomware….. well these enforcement patches are pushing us to ensure we are better protected from ransomware.  Because they may have impact, they are giving us time to deal with the issues.

Susan Bradley Patch Lady

Reply | Quote

The setting of 0 disables the auditing/enabling which may have a performance impact.

Susan Bradley Patch Lady

Reply | Quote

If I did not install the original November patches that are sitting in the que waiting should i just hide them and then install December updates once the all clear is given and hopefully they will have a fix built in on those updates for Server 2012R2 ?

Reply | Quote

If your system updates automatically, you may need to hide the update. If it updates manually, you can wait until Microsoft publishes the December updates and it should replace the previous update option on it’s own.

1 user thanked author for this post.

arbrich

Reply | Quote

Yes they are downloaded and waiting but I manually install them.

So hiding is the best plan ??

Thanks

 

Reply | Quote

Seems like 2012R2 updates may not be cumulative (as they are with 2016+). Might need to install November before December, but you could still wait until December. The machine should tell you what’s applicable.

Reply | Quote

Thanks for posting/writing these ‘special alerts’.     I sure wish MS did a better job of stress testing their KB updates prior to release.   I hope that not too many sysadmins got burnt this time around.     Your special alerts are well worth the cost of this subscription and more.   Thanks.

1 user thanked author for this post.

mcbsys

Reply | Quote

Database connections using Microsoft ODBC SQL Server driver might fail

After installing KB5019980, apps which use ODBC connections utilizing the Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to access databases might fail to connect. You might receive an error within the app or you might receive an error from SQL Server, such as “The EMS System encountered a problem” with “Message: [Microsoft][ODBC SQL Server Driver] Protocol error in TDS Stream” or “Message: [Microsoft][ODBC SQL Server Driver]Unknown token received from SQL Server”.

If you are unsure if you are using any affected apps, open any apps which use a database and then open Command Prompt (select Start then type command prompt and select it) and type the following command:

tasklist /m sqlsrv32.dll

Next steps: We are working on a resolution and will provide an update in an upcoming release..

Affected platforms:

​Client: Windows 11, version 22H2; Windows 10, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1
​Server: Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

1 user thanked author for this post.

blackbox

Reply | Quote

How does that relate to memory leaks in a domain controller?

cheers, Paul

Reply | Quote

Notice our DCs are running higher memory than usually after the Nov patch, planning to add the register key during the weekend, do we need to remove that registry out once Dec patch is available?  From the instruction isn’t very clear.

 

Reply | Quote

Hey Susan!

Wanted to thank you for posting this.  I was trying to conduct a live migration today to move several VM’s over to a new Hyper-V host on an AD network that had taken the November patches.

The Kerberos constrained delegation trust relationship between the old host and the new Hyper-V host was completely broken by the Nov 12th patch on the domain controller. Kept getting errors that one host could not connect to the other. (WinRM failures)

I installed the hot fix listed (KB  KB5021655 from the MS download catalog for Server 2019) on the MS Status page link you provided on the Domain Controller and also applied the LSASS memory leak mitigation reg-key mentioned on the same page – again on that same DC.

It completely fixed the issue with my migration failures.

Weirdly, this particular customer informed me that all their workstations had been popping up an odd notification since Nov 12th asking them to lock and unlock their computer to refresh a password change . . .  but none of them had recently changed their passwords.  If the user complied with the lock/unlock process, the popup would repeat anyway at some random time – several times a day.  That issue also went away once I installed this hotfix on the DC.

~ Group "Weekend" ~

Reply | Quote

So now that December patches have been installed successfully (“Resolved KB5021235“), are we good to remove the temporary registry value? This should work, right?

reg delete “HKLM\System\CurrentControlSet\services\KDC” -v “KrbtgtFullPacSignature”

Reply | Quote

Correct syntax (if WordPress doesn’t mess up the quotation marks):

reg delete "HKLM\System\CurrentControlSet\services\KDC" /v "KrbtgtFullPacSignature"

Reply | Quote