Latest Windows Server Updates Cause LSASS Memory Leaks and Reboots on Domain Controllers

Cloud Computing

Key Takeaways:

  • Microsoft has acknowledged a new LSASS memory leak bug affecting Windows Server machines that could cause Domain Controllers (DCs) to crash.
  • The problem affects Windows Server versions 2012 R2, 2016, 2019, and 2022.
  • Microsoft engineers are working on a fix that will arrive as an update in an upcoming release.

Microsoft has confirmed a new issue that is currently plaguing Windows Server machines. The company detailed on the Windows Health Dashboard that the latest Patch Tuesday Update may cause Domain Controllers (DCs) to stop working or automatically restart.

Specifically, Microsoft has warned that customers installing the latest Windows Server updates could experience a memory leak vulnerability with the Local Security Authority Subsystem Service (LSASS). The bug could cause LSASS to crash or trigger unexpected reboots of the Domain Controllers. The LSASS memory leak issue affects Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022.

“Following installation of the March 2024 security update, released March 12, 2024 (KB5035857), Local Security Authority Subsystem Service (LSASS) may experience a memory leak on domain controllers (DCs). This is observed when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests,” Microsoft explained.

What is Local Security Authority Subsystem Service (LSASS)?

The Local Security Authority Subsystem Service (LSASS) is a Windows process that is responsible for enforcing the security policy on the operating system. It manages authentication, authorization, credential management, security policy enforcement, security token generation, and other security-related functions. LSASS helps to prevent unauthorized access and ensures the confidentiality of sensitive data stored on Windows Server machines.

Microsoft says that its engineers are currently working on a fix that is expected to arrive in an upcoming update. In the meantime, the company advises administrators to uninstall the patches from affected Domain Controllers. It’s also recommended to monitor the memory usage of the Windows Server machines and reboot them periodically when needed.