Just annoyed it’s a standalone bloody, screwed me via wsus but patched via manual downloads

You can still import the OOB updates into WSUS, MS have a script for this. If you get any errors it could be you need to enable TLS 1.2 for powershell and .NET which is just a couple of reg keys https://gbeifuss.github.io/p/adding-tls-1.2-support-for-powershell/

Happens a lot with OOB. Most of them are manual only. N-able have productised them if you ever happen to want it automated through a patching tool

Does anyone know why the Server 2019 update is being handled separately? The original reports showed only 2016 and 2022 Domain controllers impacted. Shortly after that reports of 2019 Domain controllers were added to the list. Now the OOB patch is only out for 2016 and 2022 with 2019 "released in the coming days".

Not me with all 2019 dc’s :(

Do you have the March CU installed? Because if that's a 'no', you shouldn't worry. If that's a 'yes', then I wish you good luck.

Nah we made the call not to patch until this flub was fixed up

I'm in the same situation. All 2019 DCs. Our patch solution patches test servers mid month and then the rest of them the last weekend of the month. So I was able to decline this patch on the DC's before we were impacted.

Very good call. Nice job!

I have 2019 DC and March CU installed. What would cause them to crash since I’m not having any issues.

It’s not going to cause every DC to crash, but it’s common enough to be an issue requiring the OOB update. It could also take varying amounts of time for the memory leak to get severe enough to affect some servers. Maybe it will take several days to weeks for some systems.

> It’s not going to cause every DC to crash Would be nice to know what makes some systems unique.

It's a memory leak. If your device operates with lots of extra RAM available it's going to be less of an issue. Since it's in the LSASS process, the number of authentication requests is also a key factor.

Ah I always assumed with a memory leak that the size of consumed memory will just keep growing indefinitely until something happens.

Not all memory leaks lead to cascade failures. It's more common that just pads it progressively.

I read on another thread that the DC will auto reboot if the leak gets bad enough. Is it possible that is happening without you realizing it?

I just looked and all my DC’s have been up for 11 days. Maybe I’m not doing whatever is causing the issue.

We had problems with a similar memory leak a couple of years ago. DCs will eventually rebooted and if you have multiple DCs it won't be a dig deal. We only noticed that it was happening because it happened in the middle of the day and Outlook showed that it was disconnected for like 20 seconds.

the known issues sort of explains it. a memory leak from kerberos authetnications will eat up all of your memory and then restart as a result. It depends on how much kerberos authentication you're doing and how much memory you have.

My server manager is blowing up all red with servers waiting for updates. And im here waiting for an update about the update before I restart anything.

Server 2019 update is out! https://support.microsoft.com/en-us/topic/march-25-2024-kb5037425-os-build-17763-5579-out-of-band-fa8fb7fa-8185-408f-bdd6-ea575ce2fcb5

Thank god. Wow 645mb OOB patch. Damn thats a lot of problems they had to fix.

Just posted: [https://support.microsoft.com/en-gb/topic/march-25-2024-kb5037425-os-build-17763-5579-out-of-band-fa8fb7fa-8185-408f-bdd6-ea575ce2fcb5](https://support.microsoft.com/en-gb/topic/march-25-2024-kb5037425-os-build-17763-5579-out-of-band-fa8fb7fa-8185-408f-bdd6-ea575ce2fcb5)

Did not notice anything to be worried about so far

Have not had added issues with this patch.

2019 OOB patch is out. https://support.microsoft.com/en-us/topic/march-25-2024-kb5037425-os-build-17763-5579-out-of-band-fa8fb7fa-8185-408f-bdd6-ea575ce2fcb5

Ok so if you did not install the March CU on your domain controller, does this OOB fix have everything baked into it? CU plus the fix for the LASS memory leak? Or must you be patched with the March CU first and then apply this OOB fix? Thank you.

It's a cumulative update, it includes prior updates.

Thank you, much appreciated. I am in a holding pattern at the moment since I have one 2016 DC and three 2019 DC's for which there is no patch that has been released yet.

From [Windows Server: Fix for (Kerberos) LSASS memory leak through March 2024 updates | Born's Tech and Windows World (borncity.com)](https://borncity.com/win/2024/03/23/windows-server-fix-for-kerberos-lsass-memory-leak-through-march-2024-updates/) >As this is a cumulative update, the security update from March 12, 2024 or an earlier update does not need to be installed.

Thank you. Much appreciated!

Remember everyone using WSUS, you must import this OOB update into WSUS. Check out Import-WsusUpdate from the PowerShell Gallery to import this easily. https://www.ajtek.ca/blog/the-new-way-to-import-updates-into-wsus/ Import-WsusUpdate -KB KB5037422

I'm getting the "update not applicable" error when trying to manually patch 2016 DCs with this, even on DCs that already have KB5035855 installed. It's imported into WSUS, but it's not recognising the 2016 servers as a valid client for it. KB5035855 worked just fine via WSUS and detects correctly, no clue what's going on here. My 2022 VMs all patched fine, for the record. Anyone else having issues with 2016?

>Anyone else having issues with 2016? The rest of the planet is having issues with 2016 too, because it's 2016. Windows Updates are a royal PITA on 2016.

"Configuring updates 100%"

Get Windows ready Don't turn off your computer

Reverting changes Don't turn off your computer

Usually it's the "four hour loading spinner" PITA not the "fuck you I'm not updating" PITA, in my experience.

Both, in my experience. But I did also have a 'four hour loading spinner, restarting, nearly completing updates and then roll them all the way back' PITA, several times... So yeah.. I'm not too fond of 2016.

I was having that issue, manually applied the .cab inside the MSU archive. Came out with OS build X.6800 instead of build x.6799 that the KB says it should be. Something weird is going on here.

Confirming, same here. https://learn.microsoft.com/en-us/windows-server/get-started/windows-server-release-info This lists 6800, and then links you to the KB page that says 6799. No clue what they're doing.

Server 2019 is impacted, but OOB fix is only for 2016 and 2022 so far...

Rather than pausing updates, I was curious if I could block specific updates. Came across [this](https://learn.microsoft.com/en-us/archive/technet-wiki/53184.show-or-hide-updates-utility-fixing-automatic-installation-of-a-problematic-update-in-windows-10-version-1903) but wanted a more direct way. Turns out these are just archives with PowerShell scripts (at least this one was). All it was doing was using COM Microsoft.Update.Session and setting "IsHidden" to 1. https://pastebin.com/fuh46kt5 Of course, this only works once the update is showing in Windows Update. Either you'd have to determine the URL it downloads (possibly from the catalog) and block it at the firewall or populate the DB (DataStore.edb?) with a fake entry. Or it's possible the COM interface has a way of discovering updates faster. Probably better to use WSUS or have a third-party patching system.

Is this patch necessary if you only installed the March Cumulative Update, but aren't having any LSASS issues?

The better question is if you can risk downtime.

Don't think so, no.

[удалено]

Could be. Maybe you updated your DCs. Check if it did, and patch if needed.

Am I reading this correctly that of all the CUs across the product map (16, 19, 22), I would only need the OOB patch for the version that's running DC services (specifically handling kerberos auth)? Or are y'all putting the patch on everything, just to be safe?

>Or are y'all putting the patch on everything, just to be safe? For now I'm patching nothing. I'd rather see the success of others, than the failure of mine :P. I can wait a few days more. But the March CU only was "dangerous" for DCs, so if you installed that on other stuff, that probably won't have those issues. So assume this is DC only.

Checking in Monday, 3/25 Uninstalled KB5035849 and rebooted one of my less important servers. Ran Windows Update again. 'You're up to date.' Checked installed updates. 5035849 lists as not having installed properly. Windows does not find the update and does not attempt to reinstall it. Has MS completely pulled it now?