Microsoft fixes Patch Tuesday bugs that destroyed Windows VPN, ReFS and DC

Microsoft released an out-of-band (OOB) update yesterday to fix some Windows issues caused by last week’s monthly patch cycle on Patch Tuesday.

The January 2022 updates shipped last week include security patches and a fix for Japanese text rendering issues in Windows 11 (KB5009566) and Windows 10 (KB5009543) — along with a secret load of issues, including unexpected domain controller reboots and VPN connections where L2TP fails.

One of the main issues for IT administrators to surface this week was that Windows Server 2012 got stuck in a boot loop, while other versions suffered from broken Windows VPN clients, and some hard drives appeared as RAW format. (and unusable). Many IT administrators were forced to roll back the updates, leaving many servers vulnerable without last week’s security patches.

The process is causing some IT admins to become frustrated and share grievances on reddit. They found that the OOB update (an update separate from the usual timing that is manually downloaded and distributed by staff) would force them to run last week’s buggy patches first – at the risk of some domain controllers constantly reboots, loss of access to external drives formatted as ReFS (Resilient File System), and lost VPN connectivity.

The edge spoke to a university IT administrator, who was able to confirm that they too had to roll back Tuesday’s update because external ReFS drives had become incompatible – with no warning from Microsoft. Microsoft’s documents state that ReFS should only be used on hard drives, so this department (and other IT admins) on reddit) had to migrate data before the updates could be run again.

If Microsoft hadn’t addressed the ReFS issue earlier, they might have thought the drives were faulty, and then tried to reformat them to NTFS and lose the data (which could be a good idea anyway, since other posts Reddit shared accounts of ReFS fails them regardless of this update).

This OOB update is available to IT administrators with access to Microsoft’s update catalog and can be loaded in Windows Server Update Services (WSUS) – but will not appear in the WSUS catalog as yet, requiring administrators to download and load it manually.

A person named syshum on the sysadmin subreddit jokes: “For Microsoft, the question is why are you still using DomainControllers. You should only be using Azure AD.” There are reasons why many believe there is an unequal resource allocation: Subscription cloud services like Azure contribute more to the company’s constant revenue stream than an on-premises supported Active Directory solution on long-term.

Fortunately, support for on-premise solutions has not disappeared. Cliff Fisher, Microsoft’s product manager for Active Directory, addressed the issues of patching the older Server 2012 R2, which accidentally reboots too fast to use the entire cumulative patch:

Some of these fixes are now available for Windows 11 and Windows 10 as an optional update when you go to Windows Update on your computer. At the time of writing, there is still no fix for Windows Server 2019.

Leave a Comment