Windows Update Result in Memory Leak and Domain Controllers Crashing

Windows Patch Tuesday Updates

Windows administrators have cautioned that after applying the KB5035855 and KB5035857 updates, released as part of March 2024 Patch Tuesday for Windows Server 2016 and Windows Server 2022, domain controllers running the updated versions of Windows Server may experience crashes and reboots. Affected servers are freezing and rebooting stemming from a memory leak in the Local Security Authority Subsystem Service (LSASS), leading to continually increasing memory usage over time.

One user on Reddit's Patch Tuesday Megathread wrote “We’ve had issues with lsass.exe on domain controllers (2016 core, 2022 with DE and 2022 core domain controllers) leaking memory as well. To the point all domain controllers crashed over the weekend and caused an outage."

One comment on Microsofts TechCommunity wrote 'We deinstalled the Windows Server March 2024 update from an affected domain controller and the issue was gone instantly!"

While vulnerability patches are crucial for server security, automated server hardening offers a more proactive approach.  Patching addresses discovered weaknesses, but hardening reduces the attack surface overall by minimizing potential entry points from the start. This makes servers less vulnerable in the first place, lessening reliance on reactive patching.

Short-term Resolution Offered

BleepingComputer has quoted an admin stating Microsoft Support has recommended to uninstall the update for the time being and provided instructions on how to do it.

To remove Microsoft's updates:

Open an elevated command prompt by clicking the Start menu > type ‘cmd,’ > right-clicking the Command Prompt application > choose ‘Run as Administrator.’

Depending on the update you installed on your Windows domain controller, run one of the following commands:

Once uninstalled, use the ‘Show or Hide Updates’ troubleshooter to hide the recent update so it will no longer appear in the available updates list.