Microsoft is investigating LSASS memory leaks (caused by Windows Server updates released during the November patch on Tuesday) that could lead to freezes and reboots on some domain controllers.

LSASS (short for Local Security Authority Subsystem Service) is responsible for enforcing security policies on Windows systems and manages access token creation, password changes, and user logins.

If this service goes down, logged in users immediately lose access to Windows accounts on the machine and a system restart error is displayed, followed by a system restart.

“LSASS may use more memory over time and the DC may become unresponsive and reboot”, Microsoft Explain on the Windows Health dashboard.

“Depending on the workload of your domain controllers and the time elapsed since the last server restart, LSASS may continually increase memory usage with the uptime of your server and the server may become unresponsive or restart automatically.”

Redmond says out-of-band Windows updates deployed to fix authentication issues on Windows domain controllers could also be affected by this known issue.

The full list of affected Windows versions includes Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.

Microsoft is working on a resolution and says it will provide an update with an upcoming release.

Workaround available

Until a patch is available to address this LSASS memory leak issue, the company is also providing an interim solution for IT administrators to work around domain controller instability.

This workaround requires administrators to set the KrbtgtFullPacSignature registry key (used for CVE-2022-37967 Kerberos protocol changes) to 0 using the following command:

reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD

“Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting based on what your environment will allow,” Microsoft added.

“It is recommended that you enable enforcement mode as soon as your environment is ready. For more information about this registry key, please see KB5020805: How to handle Kerberos protocol changes related to CVE-2022-37967.”

In March, Redmond addressed another known issue leading to Windows Server domain controller restarts due to LSASS crashes.

Earlier this month, Microsoft fix domain controller login failures and other authentication issues also caused by November Patch Tuesday Windows Updates with Emergency Out of Band (OOB) updates.