Microsoft: April Windows Server updates cause NTLM auth failures

Microsoft has confirmed customer reports of NTLM authentication failures and high load after installing last month's Windows Server security updates.

According to a new entry added to the Windows health dashboard on Tuesday, this known issue will only affect Windows domain controllers in organizations with a lot of NTLM traffic and few primary DCs.

The list of impacted Windows versions and buggy security updates includes Windows Server 2022 (KB5036909), Windows Server 2019 (KB5036896), Windows Server 2016 (KB5036899), Windows Server 2012 R2 (KB5036960), Windows Server 2012 (KB5036969), Windows Server 2008 R2 (KB5036967), and Windows Server 2008 (KB5036932).

"After installing the April 2024 security update on domain controllers (DCs), you might notice a significant increase in NTLM authentication traffic," Microsoft says.

"This issue is likely to affect organizations that have a very small percentage of primary domain controllers in their environment and high NTLM traffic."

Microsoft has yet to provide information on the root cause of this known issue and is still working on a fix. Still, it advised small and large enterprise customers needing help to reach out through the "Support for Business" portal.

Unofficial temporary fix

While a workaround is unavailable until Microsoft provides a fix, Windows administrators can uninstall the security updates to address the NTLM authentication issues temporarily.

"To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages," Microsoft explains.

It's also important to note that the latest cumulative updates include all security fixes released this month. Hence, removing the LCU will also remove all fixes for security vulnerabilities patched this month.

Two months ago, Microsoft released emergency out-of-band updates to fix an issue causing Windows domain controller crashes due to memory leaks caused by the March 2024 Windows Server security updates.

Redmond resolved more Windows Server crash issues in December 2022 after the November 2022 security updates introduced another leak and in March 2022 when Windows admins reported widespread domain controller reboots.

On Tuesday, Microsoft also revealed that the April 2024 Windows security updates are breaking VPN connections on Windows 11, Windows 10, and Windows Server systems.