November Updates may cause Windows Server hang and restart

After installing the November Updates for Windows Server, a memory leak may occur in the LSASS service, which can eventually cause domain controllers to hang and reboot. The LSASS service (short for Local Security Authority Subsystem Service) is responsible for enforcing security policies, handling token creation, password changes, and user authorization in the system.
November Updates may cause Windows Server hangMicrosoft stated the following.

After installing KB5019966 or later updates on Domain Controllers (DCs), you might experience a memory leak with Local Security Authority Subsystem Service (LSASS,exe). Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of your server and the server might become unresponsive or automatically restart. Note: The out-of-band updates for DCs released November 17, 2022 and November 18, 2022 might be affected by this issue.

The issue affects Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2. Installing out-of-band updates that were released to resolve authorization issues on domain controllers does not fix the memory leak. Microsoft is still working on a solution.

As a workaround, you can set the KrbtgtFullPacSignature Registry value to 0 with the following command:
reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD
Issue it as Administrator.
After the release of the hotfix, you need to set a higher value for the key KrbtgtFullPacSignature, following the reference table below.

  • 0 – Disabled
  • 1 – New signatures are added, but not verified. (Default setting)
  • 2 - Audit mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is allowed and audit logs are created.
  • 3 - Enforcement mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is denied and audit logs are created.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

Leave a Reply

Your email address will not be published.

Exit mobile version
Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.