New Windows Server Updates Cause DC Boot Loops, Break Hyper-V

Windows server

The latest Windows Server updates pose serious problems for administrators, with domain controllers having spontaneous restarts, Hyper-V not starting, and ReFS volumes inaccessible until the updates are rolled back

Yesterday, Microsoft released Windows Server 2012 R2 update KB5009624, Windows Server 2019 update KB5009557, and Windows Server 2022 update KB5009555 as part of the January 2022 Patch Tuesday.

After installing these updates, administrators encountered several issues that are not resolved until the updates were removed.

Windows domain controller boot loops

The most serious issue introduced by these updates is that Windows domain controllers go into a boot loop, with servers going into an endless cycle of starting Windows and then restarting after a few minutes.

As first reported by BornVille, this issue affects all supported versions of Windows Server.

“It appears that KB5009557 (2019) and KB5009555 (2022) cause domain controllers to fail, which then keep restarting every few minutes,” said a posted user to Reddit.

A Windows Server administrator told BleepingComputer that he sees the LSASS.exe process using all the CPU on a server, and then eventually shutting down.

As LSASS is a critical process required for Windows to function properly, the operating system will restart automatically when the process is complete.

The following error will be logged in the event viewer on restart due to a stuck LSASS process, as a different user on Reddit share.

“The wininit.exe process initiated the restart of the computer [computer_name] on behalf of the user for the following reason: No title for this reason could be found Reason code: 0x50006 Shutdown type: restart Comment: The system process “C: WINDOWS system32 lsass.exe” terminated unexpectedly with status code -1073741819. The system will now shut down and restart. “

Hyper-V does not start anymore

In addition to boot loops, BleepingComputer has been informed by Windows administrators that after installing the patches, Hyper-V no longer starts on the server.

This bug primarily affects Windows Server 2012 R2 server, but other unverified reports indicate that it affects newer versions of Windows Server.

Since Hyper-V is not started, when attempting to launch a virtual machine, users receive an error by stating the following:

“Virtual machine xxx could not be started because the hypervisor is not running.”

Microsoft yesterday released security updates to fix four different Hyper-V vulnerabilities (CVE-2022-21901, CVE-2022-21900, CVE-2022-21905, and CVE-2022-21847), which are likely to be origin of this problem.

ReFS file systems are no longer accessible

Finally, many administrators report that Windows Resilient File System (ReFS) volumes are no longer accessible or are considered RAW (unformatted) after installing updates.

The Resilient File System (ReFS) is a proprietary file system from Microsoft that has been designed for high availability, data recovery, and high performance for very large volumes of storage.

“Installed those updates tonight, in a two-server Exchange 2016 CU22 DAG, running on Server 2012 R2. After a very long restart, the server came back with all the ReFS volumes in RAW, ” Explain a Microsoft Exchange administrator on Reddit.

“The attached NTFS volumes were okay. I realize that this is not exclusively an exchange issue, but it does impact my ability to bring services for Exchange back online. “

Uninstalling Windows Server updates made the ReFS volumes accessible again.

Yesterday Microsoft fixed seven remote code execution vulnerabilities in ReFS, one or more of which are likely behind inaccessible ReFS volumes.

These vulnerabilities are tracked as CVE-2022-21961, CVE-2022-21959, CVE-2022-21958, CVE-2022-21960, CVE-2022-21963, CVE-2022-21892, CVE-2022-21962, CVE-2022 -21928.

How to fix?

Unfortunately, the only way to resolve these issues is to uninstall the corresponding cumulative update for your version of Windows.

Administrators can do this using one of the following commands:

Windows Server 2012 R2: wusa /uninstall /kb:KB5009624 
Windows Server 2019: wusa /uninstall /kb:KB5009557 
Windows Server 2022: wusa /uninstall /kb:KB5009555

Because Microsoft consolidates all security fixes into a single update, removing the cumulative update may fix the bugs, but will also remove all fixes for newly fixed vulnerabilities.

Therefore, uninstalling these updates should only be done if absolutely necessary.

Not to be outdone by Windows Server, updates to Windows 10 and Windows 11 also interrupt L2TP VPN connections.

BleepingComputer has contacted Microsoft for fixes for these issues, but has not received a response yet.


Please enter your comment!
Please enter your name here

Trending this Week