Latest Windows server updates causes spontaneous reboots and breaks Hyper-V

Latest Windows server updates causes spontaneous reboots and breaks Hyper-V

Hello everyone,

Microsoft released the Windows Server 2012 R2 KB5009624, the Windows Server 2016 KB5009546, the Windows Server 2019 KB5009557 update, and the Windows Server 2022 KB5009555 update recently. But after installing these patches, IT admins have been seeing various issues that are only resolved after removing these updates

The issues:

The issues include domain controllers having spontaneous reboots, Hyper-V not starting, and inaccessible ReFS volumes. 

Windows domain controller boot loops:

These updates are causing Windows domain controllers to enter a boot loop, with servers getting into an endless cycle of Windows starting and then rebooting after a few minutes.

According to users and admins, it looks like LSASS.exe process use all of the CPU on a server and then ultimately terminate.

Hyper-V no longer starts:

As Hyper-V is not started, when attempting to launch a virtual machine, users will receive an error stating the following:

"Virtual machine xxx could not be started because the hypervisor is not running."

Microsoft released security updates to fix four different Hyper-V vulnerabilities yesterday (CVE-2022-21901, CVE-2022-21900, CVE-2022-21905, and CVE-2022-21847), which are likely causing this issue.

 ReFS file systems are no longer accessible:

Windows Resilient File System (ReFS) volumes are no longer accessible or are seen as RAW (unformatted) after installing the updates.

Yesterday, Microsoft fixed seven remote code execution vulnerabilities in ReFS, with one or more likely behind the inaccessible ReFS volumes.

These vulnerabilities are tracked as CVE-2022-21961, CVE-2022-21959, CVE-2022-21958, CVE-2022-21960, CVE-2022-21963, CVE-2022-21892, CVE-2022-21962, CVE-2022-21928.


Affected patches:

Below we have mentioned the list of affected patches. You can search for the Patch IDs or Bulletin IDs in Patch Manager Plus and decline them, until Microsoft rolls out an official fix for the same. 

 Bulletin ID Patch ID Patch Description
 MS22-JAN6 327622022-01 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB5009624)
 MS22-JAN3 327842022-01 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5009546)
 MS22-JAN3 327772022-01 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5009557)
 MS22-JAN3 327762022-01 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5009555)

As Microsoft bundles all security updates in a single Windows cumulative update, removing the update will remove all fixes for recently patched vulnerabilities

Unfortunately, there is no known fix or workaround for this right now and the only way to mitigate it, if the updates have already been installed, is to uninstall them. You can go ahead and decline the above-mentioned patches if they have not been deployed yet.



The ManageEngine Team