Microsoft has fixed a known issue causing NTLM authentication failures and domain controller reboots after installing last month’s Windows Server security updates.
According to a Windows health dashboard entry, this issue only affects Windows domain controllers in organizations with a lot of NTLM traffic and few primary DCs.
On affected systems, after deploying the April Windows Server security updates, admins will also see high load and, in rare instances, domain controller reboots due to Local Security Authority Subsystem Service (LSASS) process crashes.
“After installing the April 2024 security update on domain controllers (DCs), you might notice a significant increase in NTLM authentication traffic,” Microsoft says.
“This issue is likely to affect organizations that have a very small percentage of primary domain controllers in their environment and high NTLM traffic.”
Microsoft fixed this known issue in Windows Server cumulative updates released today during the May 2024 Patch Tuesday.
The list of impacted Windows versions and the cumulative updates that fix the known issue includes:
“This issue was resolved by Windows updates released May 14, 2024 (KB5037782), and later,” the company explains on the Windows Server 2022 health dashboard.
“We recommend you install the latest security update for your device. It contains important improvements and issue resolutions, including this one.”
Admins who cannot immediately install this month’s Patch Tuesday updates can still temporarily work around these known issues by removing the problematic April updates.
“To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages,” Microsoft says.
However, it’s very important to note that Redmond includes security fixes in the Patch Tuesday cumulative update; hence, removing the April 2024 updates to resolve the domain controller and NTLM auth issues will also wipe all fixes for patched vulnerabilities.
Today, Microsoft also fixed a zero-day bug exploited in the wild to deploy QakBot and other malware onto vulnerable Windows systems.