Microsoft: KB5036909 Windows Server update causing NTLM traffic, LSASS crash issues on DCs

A few days ago, Microsoft confirmed it had fixed a longstanding "65000" BitLocker encryption reporting error on Windows Intune. These types of issues can often affect a large number of systems as they are deployed on managed devices across enterprises.

Yesterday, Microsoft confirmed a new issue for Windows Server domain controllers (DCs) as it has cautioned that IT and system administrators may notice a large increase in NTLM authentication traffic. The tech giant has confirmed that this spike is caused as a result of a bug in the latest April 2024 Patch Tuesday (KB5036909) for Windows Servers, and it affects all Server OS versions, from 2008 all the way up to the latest Windows Server 2019 and 2022.

Windows NTLM, or New Technology LAN Manager, is a suite of security protocols that helps to authenticate and verify users" identity, and it is something Microsoft wishes to eventually disable in Windows 11.

This NTLM traffic bug is in addition to the VPN connection issues that are also currently affecting Windows Server systems, alongside Windows 10 and 11.

As always, the bug was posted on the Windows health dashboard website, where Microsoft writes:

After installing the April 2024 security update (KB5036909) on domain controllers (DCs), you might notice a significant increase in NTLM authentication traffic. This issue is likely to affect organizations that have a very small percentage of primary domain controllers in their environment and high NTLM traffic.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Windows support:

Enterprise devices: Request help for your organization through Support for business.

Affected platforms:

Client: none

Server: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008

Hence, like the VPN bug and broken profile pictures, Microsoft says a future update would resolve the NTLM issue.


Update: Microsoft has issued an update on the bug. The company has added that the Windows Server update can also lead to LSASS crashes which leads to reboots, though it says this is rare.

The company writes:

Note: In rare instances, Windows Servers running the Domain Controller (DC) role might experience Local Security Authority Subsystem Service (LSASS) crashes resulting in a reboot.

The LSASS helps authenticate users for local and remote sign-ins and enforce local security policies to prevent code injection that could lead to the compromise of credentials. It is part of the Local Security Authority (LSA) process.

Although Microsoft does not specifically state what is causing the LSASS crashes in this instance, a very similar thing happened in March too where a Windows server update was crashing LSASS and that was a consequence of memory leaks.

Update 2: The issue has been resolved with KB5037782.

Report a problem with article
Next Article

Microsoft to invest $2.2 billion in major cloud and AI expansion in Malaysia

Previous Article

Windows 11 market share on Steam jumps to 45%