Microsoft has confirmed customer reports of NTLM authentication failures and high load after installing last month's Windows Server security updates.
According to a new entry added to the Windows health dashboard on Tuesday, this known issue will only affect Windows domain controllers in organizations with a lot of NTLM traffic and few primary DCs.
The list of impacted Windows versions and buggy security updates includes Windows Server 2022 (KB5036909), Windows Server 2019 (KB5036896), Windows Server 2016 (KB5036899), Windows Server 2012 R2 (KB5036960), Windows Server 2012 (KB5036969), Windows Server 2008 R2 (KB5036967), and Windows Server 2008 (KB5036932).
"After installing the April 2024 security update on domain controllers (DCs), you might notice a significant increase in NTLM authentication traffic," Microsoft says.
"This issue is likely to affect organizations that have a very small percentage of primary domain controllers in their environment and high NTLM traffic."
Microsoft has yet to provide information on the root cause of this known issue and is still working on a fix. Still, it advised small and large enterprise customers needing help to reach out through the "Support for Business" portal.
Unofficial temporary fix
While a workaround is unavailable until Microsoft provides a fix, Windows administrators can uninstall the security updates to address the NTLM authentication issues temporarily.
"To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages," Microsoft explains.
It's also important to note that the latest cumulative updates include all security fixes released this month. Hence, removing the LCU will also remove all fixes for security vulnerabilities patched this month.
Two months ago, Microsoft released emergency out-of-band updates to fix an issue causing Windows domain controller crashes due to memory leaks caused by the March 2024 Windows Server security updates.
Redmond resolved more Windows Server crash issues in December 2022 after the November 2022 security updates introduced another leak and in March 2022 when Windows admins reported widespread domain controller reboots.
On Tuesday, Microsoft also revealed that the April 2024 Windows security updates are breaking VPN connections on Windows 11, Windows 10, and Windows Server systems.
Comments
BxN88 - 1 month ago
We face multiples authentication delay issue in our entreprise since the latest CU has been deploy on our DS. Slow authentication randomly and ADDS Warning message Active Directory Domain Services attempted to perform a remote procedure call (RPC) to the following server. The call timed out and was cancelled.
Anybody have similare behavior?
vultux - 1 month ago
Has anyone had success removing the ServicingStack packages?
When I try with the command:
DISM /Online /Remove-Package /packagename:Package_for_ServicingStack_4289~31bf3856ad364e35~amd64~~19041.4289.1.3
Deployment Image Servicing and Management Tool
Version: 10.0.19041.3636
Image Version: 10.0.19045.4170
Processing 1 of 1 - Error - Package_for_ServicingStack_4289 Error: 0x800f0825
Error: 0x800f0825
DISM failure. No operations were performed.
BxN88 - 1 month ago
The Servicing Stack should not have any impact - SS is basically only the patch catalogue. No need to be uninstall. If you want to roll back the Cumulative Update of April simply run this command in CMD as Admin : wusa /uninstall /kb:****** You can see current KB's installed via PowerShell with the following command Get-HotFix. Hope this help.