Microsoft has confirmed new issues in KB5036909 for Windows Server 2022 that could cause a surge in NTLM traffic and even lead to LSASS crashes, which could reboot your system automatically. To fix issues with KB5036909, you can run DISM /online /get-packages and manually remove the package.
Windows April 2024 security updates have been rough for everyone, including consumers and businesses. Windows Latest has already flagged as many as three critical issues in the April 2024 Patch, and the fourth new bug has been spotted in Windows Server 2022.
In an update to its support document, Microsoft warned about the issues in Windows Server 2022. According to Microsoft, you might notice an abrupt blowup in NTLM authentication traffic if you are an administrator. For those unaware, it is an authentication protocol to verify the user’s identity to establish a connection.
NTLM is a legacy protocol that’s not as heavily used as Kerberos but was mangled by April’s security update. In addition to the NTLM traffic surge, Microsoft informed that Windows Server PCs acting as a Domain Controller could encounter a service crash issue.
The abrupt crash of the Local Security Authority Subsystem Service (LSASS) can force your PC to reboot. This problem exists in Windows Server 2022 and affects all older editions, including Windows Server 2008.
Here’s a full list of affected Windows edditions:
- Windows Server 2022 (KB5036909)
- Windows Server 2019 (KB5036896)
- Windows Server 2016 (KB5036899)
- Windows Server 2012 R2 (KB5036960)
- Windows Server 2012 (KB5036969)
- Windows Server 2008 R2 (KB5036967)
- Windows Server 2008 (KB5036932).
If you are looking for a resolution, you must wait until Microsoft rolls out a patch. As always, you can choose to uninstall the update via PowerShell.
To remove April 2024 update from Windows Server 2022 using DISM, use these steps:
- Open PowerShell as Administrator. Run this command:
- dism /online /get-packages
- Look through the list for a package name that includes “KB5036909“. Note the full name of the package.
- Replace PackageName with the exact name of the update package and run the following command:
- dism /online /remove-package /packagename:PackageName
- Example, if the package is listed as Package_for_KB5036909~31bf3856ad364e35~amd64~~10.0.1.0, your command would be:
- dism /online /remove-package /packagename:Package_for_KB5036909~31bf3856ad364e35~amd64~~10.0.1.0
- As you can see, it must have full name. Once done, run Restart-Computer to finish removing updates.
You can follow the same steps for other Windows editions, but replace the KB ID. Also, you should pause the updates until the fixes are ready.
It’s worth noting that Windows Server is also plagued with two other issues in the April 2024 update.
Profile Photo and VPN connection errors
You might encounter an error if you try changing the profile photo on your Windows Server PC. The selected image is often applied as the new profile picture and the 0x80070520 error appears after that.
It warns that the profile picture couldn’t be saved, which is incorrect.
On Windows 11 consumer editions, the problem is associated with a local account, as confirmed by our tests in another post.
VPN software might fail to connect, making using the PC in a secure environment challenging. Both these issues remain unresolved, and it’s been almost a month since the update went live.
A few weeks back, Microsoft accidentally installed Copilot app on Windows Server PCs with an update for the Edge browser. Unlike consumer editions, Copilot isn’t available for Windows Server.
However, Microsoft took cognizance of the incident and removed the app with a new update for the Edge.