Windows Server

The March 2024 Windows Server updates are causing some domain controllers to crash and restart, according to widespread reports from Windows administrators.

Affected servers are freezing and rebooting because of a Local Security Authority Subsystem Service (LSASS) process memory leak introduced with the March 2024 cumulative updates for Windows Server 2016 and Windows Server 2022.

LSASS is a Windows service that enforces security policies and handles user logins, access token creation, and password changes.

As many admins have warned, after installing the KB5035855 and KB5035857 Windows Server updates released this Patch Tuesday, domain controllers with the latest updates would crash and reboot due to increasing LSASS memory usage.

“Since installation of the march updates (Exchange as well as regular Windows Server updates) most of our DCs show constantly increasing lsass memory usage (until they die),” one admin said.

“We’ve had issues with lsass.exe on domain controllers (2016 core, 2022 with DE and 2022 core domain controllers) leaking memory as well. To the point all domain controllers crashed over the weekend and caused an outage,” another one added.

“Our symptoms were ballooning memory usage on the lsass.exe process after installing KB5035855 (Server 2016) and KB5035857 (Server 2022) to the point that all physical and virtual memory was consumed and the machine hung,” one admin told BleepingComputer.

“The Support rep says they expect official comms to be announced from Microsoft soon.”

Temporary workaround available

Until Microsoft officially acknowledges this memory leak issue, admins are advised to uninstall the buggy Windows Server updates from their domain controllers.

“Microsoft Support has recommended that we uninstall the update for the time being,” the same admin told BleepingComputer.

To remove the troublesome updates, open an elevated command prompt by clicking the Start menu, typing ‘cmd,’ right-clicking the Command Prompt application, and then choosing ‘Run as Administrator.’

Next, run one of the following commands, depending on what update you have installed on your Windows domain controller:

wusa /uninstall /kb:5035855
wusa /uninstall /kb:5035857

Once uninstalled, you should also use the ‘Show or Hide Updates’ troubleshooter to hide the buggy update so it will no longer appear in the available updates list.

Microsoft addressed another LSASS memory leak affecting domain controllers in December 2022, when affected servers would freeze and restart after installing Windows Server updates released during the November 2022 Patch Tuesday.

In March 2022, Microsoft fixed one more LSASS crash, causing unexpected Windows Server domain controller reboots.

A Microsoft spokesperson could not immediately provide more details when contacted by BleepingComputer earlier today.

Source: www.bleepingcomputer.com