About

KB5009595 Security Update for Window Server 2012 R2 – January Updates

The January security update for Windows Server 2012 R2 has been released by Microsoft. Along with the security-only update, we have also a new monthly rollup update KB5009624 for the Windows Server 2012 R2 or the Windows Embedded 8.1 based operating systems. We discuss the issues in the KB5009595, the ways you can install the update on Windows Server 2012 R2 and the various bug fixes or product improvements that have been implemented as part of the KB5009595. KB5009595 will change your build to 6.3.9600.20246.

KB5010794 Emergency Update for Windows Server 2012 R2

KB5010794 is an out of band emergency update that has been released by Microsoft on January 17 2022. It seeks to address the issues that have cropped up after installation of the security update KB5009595 on the Windows Server 2012 R2. Updating Windows Server 2012 R2 with KB5010794 will resolve the following issues:

  • Boot loops on the domain controllers after installing KB5009595 security update on Windows Server 2012.
  • Failure of Virtual Machines to start after the installation or deployment of KB5009595 for Windows Server 2012 R2.
  • LDAP bindings fail on the Active Directory server based on the Windows Server 2012 R2.

There is no clarity about the VPN issues or the ReFS volume drives becoming RAW after deployment of the security update KB5009595.

The emergency or out of band update KB5010794 is available for download through the Windows Update Catalog only. So, manual intervention is needed to patch the servers that are affected due to KB5009595.

You can download KB5010794 from the following page on the Microsoft Update Catalog:

Download KB5010794 – download the standalone update for Windows Server 2012 R2. The update file weighs 81.1 MB.


How can I download the KB5009595 for Windows Server 2012 R2?

The KB5009595 security update for Windows Server 2012 R2 can be downloaded from the Microsoft Update Catalog. Since this is a security-only update, you will need to make sure that

  • you have installed all the previous security updates on your Windows Server 2012 R2
  • you have installed Internet Explorer’s cumulative security update KB5006671.
  • and, you should have ideally planned for downtime since the server may reboot as part of the update process.

The Microsoft catalog links for the Windows Server 2012 R2 KB5009595 security update are mentioned below. You can download the KB5009595 from these pages:

We would like to reiterate that the KB5009595 will need a reboot. So, please plan your updates accordingly. You may also like to read the issues that have been reported after installing KB5009595 and KB5009624 on the Windows Server 2012 R2.


Can I install KB5009595 for Windows Server 2012 R2 automatically?

Yes, the security update KB5009595 can be installed automatically through the Windows Server Update Services (WSUS). To synchronize the security update with the WSUS on your Windows Server, you will need to configure the WSUS as per the details below:

  • Product: Windows 8.1, Windows Server 2012 R2, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro.
  • Classification: Security Update.

KB5009595 is not available for automatic deployment through the Windows Update or Microsoft Updates.


Issues with KB5009595 on Windows Server 2012 R2

A significant number of system administrators have reported experiencing the below mentioned issues after installing the KB5009595 security update on Windows Server 2012 R2.

  • The Windows Server 2012 R2 enter bootloop after installing the KB5009595 security update. Servers are unable to boot successfully. Uninstalling the patch resolves the issue and servers boot up successfully.
  • KB5009595 breaks the Hyper VM V virtualization layer. As a result, virtual machines fail to come up. Uninstalling the KB5009595 resolves the issue and the Hyper VM V works fine. Virtualized servers are restored post uninstalling the security update.
  • External or internal ReFS volume drives may turn RAW after installing the KB5009595 security updates. Uninstalling the security update restores the ReFS drives to original state. There is no data loss.

These issues have been reported by quite a few system administrators. Not all deployments of Windows Server 2012 R2 will experience these issues. However, in the worst case scenario, if you run into this issue, please follow the instructions below to uninstall the KB5009595, or deploy the emergency update KB5010794 to tide over the issues:

  • take your server off the network.
  • boot the server in the safe mode.
  • uninstall the KB5009595 from the control panel.
  • Re-boot the server.
  • re-join the network.

A graded upgrade strategy for Windows servers should be used to patch the servers. Domain controllers should be upgraded as the last step. Before touching the domain controllers, the least significant servers on the network must be updated and tested. If all is well, the updates should be gradually pushed to other servers. Please, plan for a change ticket or a maintenance window and apprise the IT management of the various issues reported during the installation of the Windows Server 2012 R2 KB5009595 security updates.

We expect that Microsoft may issue an out of band update or a clarification note to give more information about the issues affecting the Windows Server 2012 R2 after installing the KB5009595 security update.


What bug fixes have happened in KB5009595 for Windows Server 2012 R2?

An Active Directory issue has been resolved as part of the KB5009595 for Windows Server 2012 R2. KB5009595 security update:

  • Addresses a Windows Server issue in which Active Directory attributes are not written correctly during a Lightweight Directory Access Protocol (LDAP) modify operation with multiple specific attribute changes.


Known issues in KB5009595 for Windows Server 2012 R2

The following known issue has been shared by Microsoft for the KB5009595 security update for Windows Server 2012 R2:

  • File and folder operations on the clustered shared volume may fail with STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5). This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Microsoft has suggested that you could either perform the operation through an account with administrative privileges. Alternatively, you may perform the file and folder operations from a node that does not have CSV ownership. Both these tweaks will take care of the known issue on the Windows Server 2012 R2.


Security Update history of Windows Server 2012 R2

For the Windows Server 2012 R2, the security update will replace the following security updates:

  • 2017-11 Update for Windows Server 2012 R2 for x64-based Systems (KB4055038)
  • Security Update for Windows Server 2012 R2 (KB2862152)
  • Security Update for Windows Server 2012 R2 (KB2978668)
  • Security Update for Windows Server 2012 R2 (KB2992611)
  • Security Update for Windows Server 2012 R2 (KB2993651)
  • Security Update for Windows Server 2012 R2 (KB3003743)
  • Security Update for Windows Server 2012 R2 (KB3061518)
  • Security Update for Windows Server 2012 R2 (KB3072630)
  • Security Update for Windows Server 2012 R2 (KB3080446)
  • Security Update for Windows Server 2012 R2 (KB3108347)
  • Security Update for Windows Server 2012 R2 (KB3121918)
  • Security Update for Windows Server 2012 R2 (KB3126446)
  • Security Update for Windows Server 2012 R2 (KB3135456)
  • Security Update for Windows Server 2012 R2 (KB3145739)
  • Security Update for Windows Server 2012 R2 (KB3149090)
  • Security Update for Windows Server 2012 R2 (KB3151058)
  • Security Update for Windows Server 2012 R2 (KB3153171)
  • Security Update for Windows Server 2012 R2 (KB3153199)
  • Security Update for Windows Server 2012 R2 (KB3153704)
  • Security Update for Windows Server 2012 R2 (KB3155784)
  • Security Update for Windows Server 2012 R2 (KB3156013)
  • Security Update for Windows Server 2012 R2 (KB3160352)
  • Security Update for Windows Server 2012 R2 (KB3161561)
  • Security Update for Windows Server 2012 R2 (KB3161664)
  • Security Update for Windows Server 2012 R2 (KB3164035)
  • Security Update for Windows Server 2012 R2 (KB3167679)
  • Security Update for Windows Server 2012 R2 (KB3168965)
  • Security Update for Windows Server 2012 R2 (KB3170377)
  • Security Update for Windows Server 2012 R2 (KB3172727)
  • Security Update for Windows Server 2012 R2 (KB3174644)
  • Security Update for Windows Server 2012 R2 (KB3177108)
  • Security Update for Windows Server 2012 R2 (KB3177186)
  • Security Update for Windows Server 2012 R2 (KB3177725)
  • Security Update for Windows Server 2012 R2 (KB3178034)
  • Security Update for Windows Server 2012 R2 (KB3184471)
  • Security Update for Windows Server 2012 R2 (KB3185911)
  • Update for Windows Server 2012 R2 (KB2939087)
  • Update for Windows Server 2012 R2 (KB3037313)
  • Update for Windows Server 2012 R2 (KB3060746)
  • Update for Windows Server 2012 R2 (KB3105115)
  • Update for Windows Server 2012 R2 (KB3121255)
  • Update for Windows Server 2012 R2 (KB3125424)
  • Update for Windows Server 2012 R2 (KB3139165)
  • Update for Windows Server 2012 R2 (KB3139923)
  • Update for Windows Server 2012 R2 (KB3144474)
  • Update for Windows Server 2012 R2 (KB3187022)
  • Update for Windows Server 2012 R2 (KB3204474)

Summary

  • KB5009595 for Windows Server 2012 R2 is a security only update
  • You can install it manually or perform automatic sync through the WSUS.
  • Some System admins have reported bootloops, loss of ReFS volumes and mal-functioning of Hyper VM V after installing KB5009595.
  • If you run into any issues after installing the KB5009595 on Windows Server 2012 R2, please uninstall the patch from the Windows Server 2012 R2.

You may also like to read more about the Microsoft security updates for January 2022 as per the links below: