Microsoft has fixed an LSASS memory leak issue on some domain controllers that caused hangs and reboots after installing Windows Server updates released on Patch Tuesday last month.

“After installing the November 2022/Out of Band Update on your domain controllers, you may experience a memory leak within LSASS.exe (Local Security Authority Subsystem Service)” triggering domain controller performance, operational failures and/or reliability issues like David Fisher, senior product manager at Microsoft, said tuesday.

“If you have already patched your domain controllers, the December 13, 2022 security update should resolve the known memory leak currently occurring in LSASS.exe.”

LSASS enforces Windows security policies and manages user logins. In the event of a crash, logged in users immediately lose access to Windows accounts on the machine after receiving a reboot error followed by a system reboot.

Redmond recognized the problem end of November, two weeks after the updates were released, stating that they affect multiple versions of Windows Server, including Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.

At the time, the company also added that out-of-band Windows updates deployed to fix authentication issues on Windows domain controllers could also be affected.

Workaround also available

For administrators who have yet to install the December 2022 Patch Tuesday updates, Redmond is also providing a temporary solution to work around domain controller instability in their environments.

The workaround requires administrators to set the KrbtgtFullPacSignature registry key (used for CVE-2022-37967 Kerberos protocol changes) to 0 using the following command:

reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD

After applying this month’s patches to resolve domain controller issues, administrators should change the registry key to a higher value.

“Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting based on what your environment will allow,” Microsoft said.

“It is recommended that you enable enforcement mode as soon as your environment is ready. For more information about this registry key, please see KB5020805: How to handle Kerberos protocol changes related to CVE-2022-37967.”

In March, Microsoft fixed another known issue leading to Windows Server domain controller restarts due to LSASS crashes.

In November, Redmond released emergency out-of-band (OOB) updates to fix domain controller login failures and other authentication issues also caused by Windows Patch Tuesday updates from last month.