Microsoft Windows Server | WI470829

Impact: LSASS might use more memory over time and the DC might become unresponsive and restart. Originating KB URL: https://support.microsoft.com/en-us/topic/5020009 Originating KB Release Date: 2022-11-08T10:00:00-08:00 Originating Build: N/A Resolved KB URL: https://support.microsoft.com/en-us/topic/5021285 Date Resolved: 2022-12-13T10:00:00-08:00 Vendor Message History: ======================= Published: 2022-12-13T21:05:23.887+00:00 ---------------------------------------- After installing KB5020009 (https://support.microsoft.com/help/5020009) or later updates on Domain Controllers (DCs), you might experience a memory leak with Local Security Authority Subsystem Service (LSASS,exe). Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of your server and the server might become unresponsive or automatically restart. Note: The out-of-band updates for DCs released November 17, 2022 and November 18, 2022 might be affected by this issue. Workaround: To mitigate this issue, open Command Prompt as Administrator and use the following command to set the registry key KrbtgtFullPacSignature to 0 (https://support.microsoft.com/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb#registry5020805): reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD Note: Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow. It is recommended to enable Enforcement mode as soon as your environment is ready. For more information on this registry key, please see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 (https://support.microsoft.com/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb). Resolution: This issue was resolved in KB5021285 (https://support.microsoft.com/help/5021285). If you used the above workaround, please see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 (https://support.microsoft.com/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb) for further information on how to configure KrbtgtFullPacSignature. Affected platforms: - Client: None - Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 Published: 2022-11-24T02:01:44.23+00:00 ---------------------------------------- After installing KB5020009 (https://support.microsoft.com/help/5020009) or later updates on Domain Controllers (DCs), you might experience a memory leak with Local Security Authority Subsystem Service (LSASS,exe). Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of your server and the server might become unresponsive or automatically restart. Note: The out-of-band updates for DCs released November 17, 2022 and November 18, 2022 might be affected by this issue. Workaround: To mitigate this issue, open Command Prompt as Administrator and use the following command to set the registry key KrbtgtFullPacSignature to 0 (https://support.microsoft.com/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb#registry5020805): reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD Note: Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow. It is recommended to enable Enforcement mode as soon as your environment is ready. For more information on this registry key, please see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 (https://support.microsoft.com/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb). Next steps: We are working on a resolution and will provide an update in an upcoming release. Affected platforms: - Client: None - Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2