Microsoft Starting to Confirm January Patch Problems Affecting Windows Server
Microsoft's January security patches, released on Tuesday, reportedly are causing multiple problems for organizations, particularly on the Windows Server side.
Microsoft on Monday released "out-of-band" (unscheduled) quality updates, as listed here, to address issues caused by some Jan. 11 security updates that mostly affected Windows Server users. The quality patches are described as addressing problems with domain controllers, VPN connections, the Resilient File System (ReFS) and "virtual machine start failures."
The bulletins associated with these out-of-band patches describe where IT pros can get them, but they are not all available through Windows Update, noted Susan Bradley, a Microsoft MVP and patch expert, in a Monday AskWoody.com post. The out-of-band patches are useful for organizations that are mandated to patch, she noted, but the AskWoody.com site is still advising on holding off for now. Another precaution for patchers is that specific Servicing Stack Updates need to be in place before applying the out-of-band patches, as described in the bulletins.
The main complaints include domain controllers going into "boot loops," broken IPSec virtual private network connections, "bricked" Hyper-V, plus removal of the Resilient File System (ReFS). Microsoft Most Valuable Professional (MVP) Gunter Born has cataloged these complaints in this recent Born's Tech and Windows World post. Per his reporting, the problems arose soon after Microsoft's Jan. 11 patch release.
At this point, Microsoft has only sometimes confirmed the problems, or said that they are investigating them. However, those details are tucked away in scattered Knowledge Base articles.
Here's a summary of Microsoft's confirmations of these problems, to date, as uncovered by Born's reporting:
- Boot loop on domain controllers affects Windows Server 2012 and later versions (Microsoft reference).
- Hyper-V might fail to start for Windows 8.1, Windows Server 2012 R2 and Windows Server 2012 (Microsoft reference).
- IPSec containing a vendor ID might fail; also possibly affected are "VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP Security Internet Key Exchange (IPSEC IKE)" protocols. Windows 11 and Windows 10 clients may be affected, as well as Windows Server products from Windows Server 2016 and newer (Microsoft reference).
There is no centralized public communication from Microsoft that its January patches are bringing these problems. At press time, Microsoft's public "Message Center" Web page just urged organizations to "take action" given the January patch release.
Patch expert and MVP Susan Bradley has issued a warning at the AskWoody.com site, suggesting that organizations should hold back on applying Microsoft's January patches for now, based on the domain controller side effects alone.
Microsoft MVP Darryl van der Peijl warned this week about the domain controller problem in a Twitter post. Microsoft MVPs Sami Laiho and Johan Arwidmark also recently expressed caution on Microsoft's January patches, per this Twitter thread.
Microsoft may have pulled some of these problematic January patches, but commenters and media sources have also sometimes said that the patches are still available. In any case, Microsoft seems to be confirming at least some of the complaints in obscure places.
IT professionals, as usual, are left holding the bag, in the dark.
Some of these patches may have been "delisted" by Microsoft, according to Tod Beardsley, director of research at security solutions firm Rapid7, via e-mail. He rued the potential lack of trust such patch quality issues may cause.
Microsoft's delisting of three January updates is a pretty significant blow to IT shops around the world. The worst outcome from this would be that IT shops get more spooked about Microsoft's well-established cadence of reliable monthly patch pushes. The last thing I want to see in the world is increased "patch hesitancy," further slowing down the adoption of critical patches. We've seen that the window between first disclosure and widespread attacks is shrinking by days, year over year, so that anything that introduces friction in the patch availability to patches applied in production is pretty distressing.
Beardsley advised testing patches first in a lab environment that "mirrors" a production environment.
Incidentally, this month Microsoft did announce that people can sign up to get "Security Update Guide" patch changes e-mailed to them. While I did register to use this service, I was unable to get the notices as the subscription process became nonresponsive.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.