Windows 10: Microsoft confirms KB5036909 issues in Windows Server with NTLM traffic, LSASS

Microsoft has confirmed new issues in KB5036909 for Windows Server 2022 that could cause a surge in NTLM traffic and even lead to LSASS crashes, which could reboot your system automatically. To fix issues with KB5036909, you can run DISM /online /get-packages and manually remove the package.

Windows April 2024 security updates have been rough for everyone, including consumers and businesses. Windows Latest has already flagged as many as three critical issues in the April 2024 Patch, and the fourth new bug has been spotted in Windows Server 2022.

In an update to its support document, Microsoft warned about the issues in Windows Server 2022. According to Microsoft, you might notice an abrupt blowup in NTLM authentication traffic if you are an administrator. For those unaware, it is an authentication protocol to verify the user’s identity to establish a connection.

NTLM is a legacy protocol that’s not as heavily used as Kerberos but was mangled by April’s security update. In addition to the NTLM traffic surge, Microsoft informed that Windows Server PCs acting as a Domain Controller could encounter a service crash issue.

The abrupt crash of the Local Security Authority Subsystem Service (LSASS) can force your PC to reboot. This problem exists in Windows Server 2022 and affects all older editions, including Windows Server 2008.

Here’s a full list of affected Windows edditions:

• Windows Server 2022 (KB5036909)
• Windows Server 2019 (KB5036896)
• Windows Server 2016 (KB5036899)
• Windows Server 2012 R2 (KB5036960)
• Windows Server 2012 (KB5036969)
• Windows Server 2008 R2 (KB5036967)
• Windows Server 2008 (KB5036932).

If you are looking for a resolution, you must wait until Microsoft rolls out a patch. As always, you can choose to uninstall the update via PowerShell.

To remove April 2024 update from Windows Server 2022 using DISM, use these steps:

1. Open PowerShell as Administrator. Run this command:
2. dism /online /get-packages
3. Look through the list for a package name that includes “KB5036909“. Note the full name of the package.
4. Replace PackageName with the exact name of the update package and run the following command:
5. dism /online /remove-package /packagenameackageName
6. Example, if the package is listed as Package_for_KB5036909~31bf3856ad364e35~amd64~~10.0.1.0, your command would be:
7. dism /online /remove-package /packagenameackage_for_KB5036909~31bf3856ad364e35~amd64~~10.0.1.0
8. As you can see, it must have full name. Once done, run Restart-Computer to finish removing updates.

You can follow the same steps for other Windows editions, but replace the KB ID. Also, you should pause the updates until the fixes are ready.

It’s worth noting that Windows Server is also plagued with two other issues in the April 2024 update.

Profile Photo and VPN connection errors


You might encounter an error if you try changing the profile photo on your Windows Server PC. The selected image is often applied as the new profile picture and the 0x80070520 error appears after that.

It warns that the profile picture couldn’t be saved, which is incorrect.

On Windows 11 consumer editions, the problem is associated with a local account, as confirmed by our tests in another post.


This picture couldn’t be saved error | Image Courtesy: WindowsLatest.com

VPN software might fail to connect, making using the PC in a secure environment challenging. Both these issues remain unresolved, and it’s been almost a month since the update went live.

A few weeks back, Microsoft accidentally installed Copilot app on Windows Server PCs with an update for the Edge browser. Unlike consumer editions, Copilot isn’t available for Windows Server.

However, Microsoft took cognizance of the incident and removed the app with a new update for the Edge.

The post Microsoft confirms KB5036909 issues in Windows Server with NTLM traffic, LSASS appeared first on Windows Latest

Weiterlesen...

 

General Question on network traffic from Microsoft Servers:

Hi Ron,

I realize that you have a general question on network traffic. I will try to help you with this issue.

• 
  When you say that “my machine was receiving data from multiple microsoft servers”, How did you find that out?
  

Please post a screen shot of that window in your reply. Take a screen shot of that window, paste in paint and save it on the desktop. On the Microsoft Community website when you click reply you will see the option “Add Image” at the top most
part of the reply window. Click on Add Image, browse to the desktop, select the picture and upload it.

Reply to us with more information to help you further.

 

Microsoft Windows Home Server Corrupts Files

Microsoft has warned Windows Home Server users not to edit files stored on their backup systems with several of its programs, including Vista Photo Gallery and Office's OneNote and Outlook, as well as files generated by popular finance software such as Quicken and QuickBooks. "When you use certain programs to edit files on a home computer that uses Windows Home Server, the files may become corrupted when you save them to the home server," Microsoft said in a support document posted last week. The document went on to list the software, which includes Windows Vista Photo Gallery, Windows Live Photo Gallery, OneNote 2003, OneNote 2007, Outlook 2007, Microsoft Money 2007 and SyncToy 2.0 Beta. Others programs, however, may also corrupt files stored on a home server powered by Microsoft's operating system. "Additionally, there have been customer reports of issues with Torrent applications, with Intuit Quicken and with QuickBooks program files," the document said. "Until an update for Windows Home Server is available, we recommend that [you] do not use the programs that are listed to save or to edit program-specific files that are stored on a Windows Home Server-based system."

Source: Computerworld

 

Raising the windows domain and forest issues?


hi,

I run a domain that was all 2003 r2 servers. I recently upgraded all my domain controllers to windows 2012 r2.
That went off without any problems.. Our trust relationships had no issues also.

My first step was to raise the Domain and Forest levels past 2003 to 2008. This went off without a hitch.
These are the features for raising the levels to 2008:

• Features and benefits include all default Active Directory features, all features from the Windows Server 2003 domain functional level, plus:
• Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database.
• Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
• Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). It provides more robust and detailed replication of SYSVOL contents.

Forest Level Windows Server 2008

• Features and benefits include all of the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

My next step is to raise the domain and forest to 2008 r2, then 2012, and finally 2012 r2. I have been trying to find out exactly what I could expect from raising the Domain and Forest for each step.

The step involving 2008 r2 seems relatively a non issue. But getting the couple of new features seem very nice

Domain Level Windows Server 2008 R2

• All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus 2 new features

Forest Level Windows Server 2008 R2

• All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:

• Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running. <== New Feature very cool
• All domains subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.

Here is my big concerns for the next raising of domain and forest to 2012.

Forest Level Windows Server 2012:

• All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
• All domains subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Domain Level Windows Server 2012 R2: <=====Need to investigate more and why this post

• DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

• Authenticate with NTLM authentication <==============(what issues may arise)
• Use DES or RC4 cipher suites in Kerberos pre-authentication
• Be delegated with unconstrained or constrained delegation
• Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Will this affect my exchange anywhere users with remote access authenticating either clear of NTLM???
and what would/may not to work properly day 1 when I raise the domain and forest to 2012. I cant really find anyone that can answer a straight question.

Has anyone gone through this? what problems did you have, if any , if a lot???

Any thoughts and suggestions will be much appreciated??

thanks


- - - Updated - - -

One more point... I am not sure if I posted this to the correct forum.. So if I was wrong and it should be in a different one..
PLEASE LET ME KNOW