KB5009546 Security Update for Windows Server 2016 – January Update

The January security update for Windows Server 2016 is released by Microsoft on 11th January. The security update KB5009546 for Windows Server 2016 seeks to resolve bugs, security vulnerabilities and improve the quality of the operating system. We look at the ways you can download the Windows Server 2016 security update, the issues that have been reported by system administrators and also the known issues shared by Microsoft. This security update will take your build on Windows Server 2016 to version OS Build 14393.4886. This security update follows on with the last cumulative security update KB5008207 released in December 2021. Emergency security update KB5010195 ought to have been installed on top of the KB5008207 cumulative update.

Important – KB5010790 can be installed in lieu of the security update KB5009546. This will cover the issues in KB5009546 and patch you for all the vulnerabilities on Windows Server 2016. KB5010790 is a cumulative update.

KB5010790 emergency out of band update for Windows Server 2016

KB5010790 is a security update of an emergency nature. It was released by Microsoft as an out of band update on 17th January 2022. The standalone update seeks to resolve issues that have been caused by the January update KB5009546 on Windows Server 2016. If you have patched the Windows Server 2016 with KB5009546, you are expected to patch the server with KB5010790 to resolve the following issues:

  • boot loops on domain controllers after installing the January security update KB5009546.
  • failed LDAP bindings on the Active Directory server on Windows Server 2016.
  • ReFS vulme drives, internal or external, turning RAW after installing the KB5009546 security update for Windows Server 2016.
  • failed VPN connections through the Windows Server 2016.

Since this update is of an emergency nature, you may top it up on the Windows Server 2016 using one of the following methods:

  • Download KB5010790 from the Microsoft Update catalog from the following page. This update weighs 1672.3 MB. The update is cumulative in nature and impact. You can read full details about the KB5010790 from this page. Do note that this is a cumulative update, just like the KB5009546.
  • On Windows Update, you can find the KB5010790 as an optional update.
  • WSUS or the Windows Server Update Service cannot be used for automatic synchronization with the KB5010790. However, you can import KB5010790 manually on the Windows Server Update Service.

If you have not installed KB5009546 as of now, you may want to wait a few days before taking a commit. For administrators who are already affected by the plethora of issues after deploying KB5009546, please deploy the KB5010790 on Windows Server 2016 to move beyond the wide variety of issues on the servers.

Microsoft has released a new document about the emergency out of band update for Windows Server 2016. You can read about the out of band updates on this page – https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-1607-and-windows-server-2016. I will paste a part of the document that mentions KB5010790 as a cumulative update. So, you can just install KB5010790 and skip the broken update KB5009546.

Resolution: This issue was resolved in the out-of-band update KB5010790. It is a cumulative update, so you do not need to apply any previous update before installing it. If you would like to install the update, you will need to Check for updates and select “Optional updates” and then select KB5010790. To get the standalone package for KB5010790, search for it in the Microsoft Update Catalog. You can import this update into Windows Server Update Services (WSUS) manually. See the Microsoft Update Catalog for instructions. NoteKB5010790 will not install automatically.


How can I download the KB5009546 security update for Windows Server 2016?

KB5009546 can be downloaded from the Microsoft update catalog site. The links to download the security update are posted below for your ready reference:

This update follows on from the last cumulative security update for December -KB5008207. If you had installed the emergency security update KB5010195, you are good to go in installing the KB5009546 security update on the Windows Server 2016.

Do make sure that you have a maintenance window in place for patching the Windows Server 2016 with the security update KB5009546. The server may require a reboot after the update.

We do suggest that you have a look at the issues reported below. These issues have been reported by the system administrators, and have been known to chiefly impact the Windows Server 2012 and the Windows Server 2012 R2.


Issues in KB5009546 security update for Windows Server 2016

Most issues reported below have been reported by the system administrators of Windows Server 2012 and Windows Server 2012 R2. However, administrators of Windows Server 2016 and Windows Server 2019 have also shared reports of some issues affecting their server installations.

  • Bootloops after installing the security update. Your Windows Server 2016 may end up in a boot loop after installing the January security update KB5009546. Uninstalling the security update resolves the issue. The Bootloops are especially affecting the Domain controllers. Microsoft has acknowledged the issue and stated that the bootloops may affect Domain controllers that are using Shadow Principals in Enhanced Security Admin Environment (ESAE) or environments with Privileged Identity Management (PIM).

  • Failed VPN connections for IPSEC tunnels, L2TP tunnels and VPN endpoints on the server. Uninstalling the patch resolves the issue for most system administrators.

  • Hyper VM V may break after installing the security update. This may break the virtual machines running through the virtualization layer on the Windows Server 2016. Uninstalling the patch resolves the issue with the Hyper VM.

  • Internal and external ReFS volume drives may become RAW. Although there is no data loss, you won’t be able to access the content of the ReFS drives until you have uninstalled the security patch.

These issues are of a significant nature. We understand that Microsoft is looking into fixing these issues. We also do understand that not all system administrators of Windows Server 2016 run into these issues. These are intermittent issues that seem to be affecting a subset of overall users.

A graded approach to installing the security updates is the best strategy. You should start with the least significant Windows Server 2016 that needs to be patched. Domain controllers should be touched only after you are reasonably convinced about the success of patching the Windows 2016 servers on your network.

To uninstall the KB5009546 security update for Windows Server 2016, you may follow the instructions below:

  • Take the affected server off the network.
  • Boot the server in safe mode.
  • Uninstall the security update from the server.
  • Reboot the server.
  • Connect it to the network once the server boots fine.

Uninstalling the patch from the server is a hassle, but you have no option or recourse left if the servers are in a bootloop situation.


What bugs have been resolved in the KB5009546 for Windows Server 2016?

The January update KB5009546 resolves the following bugs or issues:

  • issues with searchindexer.com when dismounting the volume in a Remote Desktop setup.
  • issues with the Brachcache republication cache taking more space than assigned.
  • issues with LDAP modify operating not updating the AD attributes properly when multiple attributes are being updated.


What are the known issues in KB5009546 security update?

  1. One of the known issues of the security update KB5009546 is the inability of the Key Management Service on the server to activate Windows 10 based client computers. While trying to activate the client computers, you may get an error:

Error: 0xC004F074. The Software Licensing Service reported that the computer could not be activated. No Key Management Service (KMS) could be contacted. Please see the Application Event Log for additional information.”

  • The KMS service on the server fails to activate Windows 10 based client computers.
  • The KMS client is unable to contact the KMS server.
  • The KMS server fails to respond.
  • The KMS client did not receive the response sent by the server.

In all these cases, the KMS host to client communication fails and the client computer fails to get a valid key to activate.

This issue is pending a resolution from the Microsoft side.

2. Microsoft has also acknowledged the IPSEC VPN tunnel issue. VPN connections may fail if:

  • VPN settings contain the vendor id or,
  • Layer 2 Tunneling Protocol (L2TP)  VPN connections may fail.
  • IP security Internet Key Exchange or the IPSEC tunnels may also fail.

The failed VPN issue is pending a resolution from the Microsoft side.

3. The third issue acknowledged by Microsoft is the boot loop on the domain controllers. This issue also waits for a resolution from the Microsoft side.

Given these issues, it may be a better idea to wait for the January security update issues to be resolved by Microsoft.


Can I install KB5009546 automatically?

Yes, KB5009546 can be applied automatically. The software update will get automatically downloaded and apply on the server. KB5009546 also applies to Windows 10 version 1607 and higher. KB5009546 can be applied automatically through:

  • Windows Update
  • Windows Server Update Services (WSUS)
  • Windows Update for Business

If you make use of WSUS for the update process, you will need to configure WSUS on your server to receive the corresponding security updates for Windows Server 2016.


Summary

KB5009546 for Windows Server 2016 seems to be causing issues and it may be a good idea to wait for a resolution from the Microsoft side. If you still wish to patch, you can do so from the catalog link posted above or use the WSUS on your Windows Server 2016.

You may also like to read more about the January Security updates from Microsoft: