Microsoft fixes Patch Tuesday bugs that broke Windows VPN, ReFS, and DC – The Verge

Microsoft released an out-of-band (OOB) update yesterday to fix some Windows issues caused by last week’s monthly patching cycle on Patch Tuesday.

The January 2022 updates that shipped last week included security patches and a fix for Japanese text appearance issues in Windows 11 (KB5009566) and Windows 10 (KB5009543) — along with a secret payload of issues, including unexpected restarting of Domain Controllers and VPN connections using L2TP failing.

One of the major issues that came up during the week for IT admins included finding that Windows Server 2012 became stuck in a boot loop, while other versions suffered broken Windows VPN clients, and some hard drives appeared as RAW format (and unusable). Many IT Admins were forced to roll back the updates — leaving many servers vulnerable with none of last week’s security patches.

The process is leaving some IT Admins frustrated and sharing grievances on Reddit. They found that the OOB update (an update separate from the usual timing that is downloaded and distributed manually by staff) would force them to first run last week’s buggy patches — risking some Domain Controllers to continuously reboot, loss of access to external drives formatted as ReFS (Resilient File System), and broken VPN connectivity.

The Verge spoke with an IT Admin for a university, who was able to confirm they, too, had to roll back last Tuesday’s update because external ReFS drives had become incompatible — with no warning from Microsoft. Microsoft’s documents state that ReFS should only be used on fixed drives, so this department (and other IT admins on Reddit) had to migrate data before running the updates again.

Should the ReFS issue have not been addressed any sooner by Microsoft, they might have believed the drives were faulty, then tried reformatting to NTFS and losing the data (that might be a good idea anyway, as other posts Reddit shared accounts of ReFS failing on them regardless of this update).

This OOB update is available to IT admins with access to Microsoft’s update catalog and can be loaded into Windows Server Update Services (WSUS) — but does not, as of yet, appear in the WSUS catalog, leaving Admins forced to manually download and load it.

An individual by the name of syshum on the sysadmin subreddit jokes: “To Microsoft the question is Why are you still using DomainControllers. You should be using Azure AD only.” There are reasons why many might believe there’s an uneven allocation of resources — subscription cloud services like Azure contribute more to the company’s constant revenue flow than a long-term supported Active Directory solution on-premises.

Thankfully, support for on-premise solutions isn’t gone yet. Cliff Fisher, Microsoft’s product manager for Active Directory, addressed the problems of patching the older Server 2012 R2, which erroneously reboots too fast to take the whole cumulative patch:

Some of these fixes are available now for Windows 11 and Windows 10 as an optional update if you go to Windows Update on your computer. As of writing, there is still no fix for Windows Server 2019.