Windows Server Updates Cause NTLM Authentication Failures and High Load: A Comprehensive Overview

Windows Server NTLM issue

In recent news, Microsoft has acknowledged that recent security updates have led to significant issues for some Windows Server users. Specifically, customers have reported failures in NTLM authentication and increased server load following the installation of April 2024 security updates. This article delves into the details of these developments, exploring the versions affected, the extent of the problem, and Microsoft's response.

The Nature of the Problem

According to Microsoft's recent entry on the Windows health dashboard, these issues primarily affect Windows domain controllers in organizations that experience high NTLM traffic but have only a few primary domain controllers (DCs). The NTLM (NT LAN Manager) authentication protocol is integral to many enterprises, making any disruptions to its functioning particularly concerning.

"After installing the April 2024 security update on domain controllers, you might notice a significant increase in NTLM authentication traffic," Microsoft warns. The company has not yet provided specifics on the root cause, but it is clear that the combination of high NTLM traffic and limited primary DCs is exacerbating the problem.

Affected Versions and Security Updates

The list of impacted Windows versions is extensive, and the faulty security updates include:

  • Windows Server 2022 (KB5036909)

  • Windows Server 2019 (KB5036896)

  • Windows Server 2016 (KB5036899)

  • Windows Server 2012 R2 (KB5036960)

  • Windows Server 2012 (KB5036969)

  • Windows Server 2008 R2 (KB5036967)

  • Windows Server 2008 (KB5036932)

Given the variety of versions impacted, this issue has the potential to affect a significant portion of the enterprise market.

Temporary Fixes and Microsoft’s Response

Microsoft has not yet released a formal fix for these NTLM authentication issues. However, it has advised customers needing immediate assistance to use the "Support for Business" portal.

For a temporary solution, Microsoft has suggested uninstalling the problematic security updates. The company provides guidance on how to accomplish this effectively, stating:

"To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages."

It's important to note, however, that removing the LCU also removes all security fixes released in April 2024. This could leave systems vulnerable to other security threats, making it essential for administrators to weigh the pros and cons of this workaround.

Past Issues and Further Concerns

This is not the first time recent updates have caused significant issues for Windows Server users. Two months ago, Microsoft released emergency out-of-band updates to address memory leaks caused by March 2024 security updates, which led to domain controller crashes.

Similarly, in December 2022, Microsoft had to address another memory leak resulting from November 2022 updates, and in March 2022, widespread domain controller reboots followed another set of updates.

In addition to these NTLM issues, Microsoft has also disclosed that April 2024 security updates are breaking VPN connections on Windows 11, Windows 10, and Windows Server systems. This revelation adds another layer of concern for both enterprise and individual users relying on VPN services.

Conclusion

The recent Windows Server security updates have sparked concerns in the enterprise community, particularly for organizations reliant on NTLM authentication. Microsoft acknowledges the problem and is working on a fix, but in the interim, administrators are left to choose between uninstalling updates (with all associated security fixes) or waiting for a more comprehensive solution.

The current situation highlights the need for effective and timely responses from software vendors, particularly for mission-critical systems. While temporary fixes may alleviate some immediate concerns, ongoing communication from Microsoft and future updates will be key to fully resolving these issues. As developments unfold, IT professionals must stay vigilant, balancing system security against operational continuity.