• MS-DEFCON 3: Side effect with Domain patch

    Home » Forums » Newsletter and Homepage topics » MS-DEFCON 3: Side effect with Domain patch


    Special alert By Susan Bradley November Domain controller update leads to memory leak Business patchers only:  Microsoft has posted up a known side ef
    [See the full post at: MS-DEFCON 3: Side effect with Domain patch]

    Susan Bradley Patch Lady

    2 users thanked author for this post.
    Viewing 9 reply threads
    • #2500948

      By business patcher do you mean windows servers patchers?

    • #2500975

      I removed KB5019964 as suggested, restarted, but now it seems to be stuck at 100% finishing the removal. Can’t log in. Has been over an hour. (All functions seem to be working.) Ideas?

    • #2501136

      Thanks for the heads-up. I’m going the regedit route on four DCs to which I applied November updates and OOB fixes in the past week. Notes:

      • Two Server 2016 machines show lsass.exe using about 72K of memory on each machine. The registry key did not exist on either. Adding.
      • Two Server 2012R2 machines shows lasss.exe using 100K and 161K of memory. The registry key did not exist on either. Adding.

      I don’t see any reboot requirement for applying this fix?

    • #2501286

      Hi all, quite an unusual subkey for service param’s – I’d expect them to go to …\KDC\Parameters… but all docs I found so far are pointing to …\KDC . Is there a way to check if the setting of ‘zero’ successfully triggered the deactivation of the new bug – oops, sorry – feature?

      Also, I do not understand M$ trend to force such changes at a certain point in time without leaving the option to deactivate it. What if a company has a hard dependency on it to stay turned of to still be able to keep their environment running?

      BfN, -k

      • #2501323

        On Pro and Server editions you have the option on gpedit.msc or Group Policies to set Windows Update to download but not to install until you tell it to. That’s how I’m set on my PC and critical servers so that when I’m ready I install them.

        On Windows 10 Pro, run gpedit.msc. Then Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. Then find Configure Automatic Updates. Set it to Enabled, set Configure automatic updating to 3 – Auto download and notify to install and uncheck install during automatic maintenance. If an OOB must be installed, go to Windows Update Catalog, download the required MSU and run it instead of clicking install on Windows Update.

      • #2501326

        This is enforcing better Kerberos to ensure that attackers can’t gain access to a domain.  We complain that Microsoft isn’t doing enough to protect us from ransomware….. well these enforcement patches are pushing us to ensure we are better protected from ransomware.  Because they may have impact, they are giving us time to deal with the issues.

        Susan Bradley Patch Lady

      • #2501327

        The setting of 0 disables the auditing/enabling which may have a performance impact.

        Susan Bradley Patch Lady

    • #2501441

      If I did not install the original November patches that are sitting in the que waiting should i just hide them and then install December updates once the all clear is given and hopefully they will have a fix built in on those updates for Server 2012R2 ?

      • #2501443

        If your system updates automatically, you may need to hide the update. If it updates manually, you can wait until Microsoft publishes the December updates and it should replace the previous update option on it’s own.

        1 user thanked author for this post.
        • #2501768

          Yes they are downloaded and waiting but I manually install them.

          So hiding is the best plan ??



        • #2501815

          Seems like 2012R2 updates may not be cumulative (as they are with 2016+). Might need to install November before December, but you could still wait until December. The machine should tell you what’s applicable.

    • #2501720

      Thanks for posting/writing these ‘special alerts’.     I sure wish MS did a better job of stress testing their KB updates prior to release.   I hope that not too many sysadmins got burnt this time around.     Your special alerts are well worth the cost of this subscription and more.   Thanks.

      1 user thanked author for this post.
    • #2503802

      Database connections using Microsoft ODBC SQL Server driver might fail

      After installing KB5019980, apps which use ODBC connections utilizing the Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to access databases might fail to connect. You might receive an error within the app or you might receive an error from SQL Server, such as “The EMS System encountered a problem” with “Message: [Microsoft][ODBC SQL Server Driver] Protocol error in TDS Stream” or “Message: [Microsoft][ODBC SQL Server Driver]Unknown token received from SQL Server”.

      If you are unsure if you are using any affected apps, open any apps which use a database and then open Command Prompt (select Start then type command prompt and select it) and type the following command:

      tasklist /m sqlsrv32.dll

      Next steps: We are working on a resolution and will provide an update in an upcoming release..

      Affected platforms:

      ​Client: Windows 11, version 22H2; Windows 10, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1
      ​Server: Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

      1 user thanked author for this post.
    • #2504183

      Notice our DCs are running higher memory than usually after the Nov patch, planning to add the register key during the weekend, do we need to remove that registry out once Dec patch is available?  From the instruction isn’t very clear.


    • #2506183

      Hey Susan!

      Wanted to thank you for posting this.  I was trying to conduct a live migration today to move several VM’s over to a new Hyper-V host on an AD network that had taken the November patches.

      The Kerberos constrained delegation trust relationship between the old host and the new Hyper-V host was completely broken by the Nov 12th patch on the domain controller. Kept getting errors that one host could not connect to the other. (WinRM failures)

      I installed the hot fix listed (KB  KB5021655 from the MS download catalog for Server 2019) on the MS Status page link you provided on the Domain Controller and also applied the LSASS memory leak mitigation reg-key mentioned on the same page – again on that same DC.

      It completely fixed the issue with my migration failures.

      Weirdly, this particular customer informed me that all their workstations had been popping up an odd notification since Nov 12th asking them to lock and unlock their computer to refresh a password change . . .  but none of them had recently changed their passwords.  If the user complied with the lock/unlock process, the popup would repeat anyway at some random time – several times a day.  That issue also went away once I installed this hotfix on the DC.

      ~ Group "Weekend" ~

    • #2512992

      So now that December patches have been installed successfully (“Resolved KB5021235“), are we good to remove the temporary registry value? This should work, right?

      reg delete “HKLM\System\CurrentControlSet\services\KDC” -v “KrbtgtFullPacSignature”
      • #2513257

        Correct syntax (if WordPress doesn’t mess up the quotation marks):

        reg delete "HKLM\System\CurrentControlSet\services\KDC" /v "KrbtgtFullPacSignature"
    Viewing 9 reply threads
    Reply To: MS-DEFCON 3: Side effect with Domain patch

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: