Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Security patches KB 3205394, 3206632, 3205386 crash Active Directory Admin Center

    Posted on January 6th, 2017 at 07:32 woody Comment on the AskWoody Lounge

    Reports are spreading.

    InfoWorld Woody on Windows

    So, anybody care to guess how Microsoft will handle this problem? We appear to have three Win10 cumulative updates and four Win7/8.1 monthly patches, all with the same bug. It’s not a big deal, unless you’re using the Active Directory Admin Center (or SCCM).

    I see a few possibilities:

    • “Patch” ADAC (which probably isn’t broken)
    • Post a manual workaround and forget about it
    • Post hotfixes for the Win10 versions, or at least 1607
    • Re-release the Win7 and 8.1 patches

    Let’s see how MS reacts.

    Thanks to Paul and MH.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Security patches KB 3205394, 3206632, 3205386 crash Active Directory Admin Center

    This topic contains 22 replies, has 2 voices, and was last updated by  abbodi86 8 months, 3 weeks ago.

    • Author
      Posts
    • #13909 Reply

      woody
      Da Boss

      Reports are spreading. InfoWorld Woody on Windows So, anybody care to guess how Microsoft will handle this problem? We appear to have three Win10 cumu
      [See the full post at: Security patches KB 3205394, 3206632, 3205386 crash Active Directory Admin Center]

    • #13910 Reply

      abbodi86

      they will either fix it in the next patch tuesday updates, or later with catalog-only updates

      Win7/8.1 propably will get it in the next “Preview Rollup”

    • #13911 Reply

      Eric

      Let’s see if MS fixes a buggy security-only update with a non security-only patch!

      I’m not holding my breath for a good outcome.

    • #13912 Reply

      The Real Allan

      Hey Woody,

      I reluctantly installed KB 3205400 for Windows 8.1, mostly based on your approval of it. I haven’t had anything specific happen except occasionally my browser doesn’t load the correct web page, or it does so very slowly.

      Also, I had to re-install the update of an IDE I use because it had reduced functionality. After re-installation, things were back to normal. The hash table wasn’t checked since this was a mostly automatic update.

      I don’t know if this is related to KB 3205400 or not.
      The above quirks happened after I installed the update.

      Glad to see that you are back from vacation. Happy New Year!

    • #13913 Reply

      Glenda Hewitt

      Should we uninstall 3205394 update. W7 Home. Group B

    • #13914 Reply

      woody
      Da Boss

      Absolutely not.

    • #13915 Reply

      woody
      Da Boss

      Not sure what’s causing the quirks, but you’re fine with 3205400.

    • #13916 Reply

      b

      “admins have a straightforward choice: Use Active Directory Admin Center to edit users/groups, or remove all December security patches.”

      Shouldn’t this read, “DON’T use …, or remove …”?

    • #13917 Reply

      woody
      Da Boss

      Nope. If they have December patches applied (at least the ones that have already been tracked down and identified as problematic), they can’t use ADAC to edit users or groups. It’ll crash on save. If they want to use ADAC, they have to uninstall the December patches.

    • #13918 Reply

      ch100

      Active Directory Admin Center is not in wide use, although it is the current Microsoft recommended method for administering Active Directory. Most administrators prefer to use the classic consoles known since Windows 2000.
      SCCM console breaking may be an issue, but again, this depends on where the management console is installed.
      I think abbodi86 has already provided the answer for the likely methods to fix the current issues.

    • #13919 Reply

      ch100

      @woody
      “Based on the crashing module name, kernelbase.dll, I would point the finger at MS 16-151, the β€œSecurity Update for Windows Kernel-Mode Drivers,” which has become a monthly recurring theme of late.”

      Weren’t the kernel driver updates the very last that were recommended to be installed by Susan Bradley in her newsletter? Now we don’t have the luxury to separate between different patches… so we should delay installing the whole lot, especially when there are unresolved issues.

    • #13920 Reply

      zero2dash

      I didn’t even realize I had ADAC on my workstation (after installing the RSAT’s) but lo and behold, there it is.
      I do have the update (in this case, KB3206632), and it does indeed cause ADAC to crash when trying to make any changes.

      In any event, a workaround is to use AD Users & Computers, which is also included in the RSAT’s and has the same functionality (as far as I can tell) as ADAC, in a more ‘clean’ package. I have no idea why they even came up with ADAC, other than typical Microsoft “reinvent the wheel when the wheel’s not broken” sense. I’m more familiar with ADUC anyway.

    • #13921 Reply

      woody
      Da Boss

      Agreed – but this issue didn’t crop up until very late in the game.

    • #13922 Reply

      ch100

      My comment was not intended against any recommendation to install or not. Was just related to the separation of the various patches which now come in a bundle.
      However I still prefer the current and in particular the future approach with the rollups πŸ™‚

    • #13923 Reply

      ch100

      This is what I said in another comment. Most admins do not use ADAC, but ADUC, AD Sites and Services, i.e. the classical tools.

    • #13924 Reply

      ch100

      I think ADAC has only one major feature not found in other tools except for using PowerShell, rarely used and hopefully never needed. It is about restoring deleted Active Directory objects from the Recycle Bin.

    • #13925 Reply

      woody
      Da Boss

      Understood. πŸ™‚

    • #13926 Reply

      b

      Exactly. So their choice is to NOT use ADAC, *or* remove December patches.

      (Otherwise the first choice means no change!)

    • #13927 Reply

      Brandon

      KB3205394 OR KB3207752 were causing a client’s machine not to boot correctly, it would cause the machine to state a hardware or software change has prevent windows from booting correctly and select repair- I would select the repair and then a Window Would appear and state the OS couldn’t be repaired, as soon as I removed these 2 updates the Machine hasn’t had a problem since.

      So I’d definitely would be removing these updates period

    • #13928 Reply

      woody
      Da Boss

      Correct.

    • #13929 Reply

      John

      Hi. Auto update installed KB3206632 and completely screwed my Windows10 64bit system. Programs freeze, CCleaner cannot run on this level of windows and explorer hangs in folders and files. Re-boot only way to recover and ofcourse immediately problem reoccurs.
      Autoupdate installed KB3206632 on 28Dec’16. Uninstalled this update and all was fine until Autoupdate again installed it on 5Jan’17.
      Uninstalled for second time today 8Jan’17 and again problem solved. AutoUpdate service now disabled! Will now update every 3 months on duplicate system – if ok, this will become prod system – switching systems every 3 months if updates ok.
      Hope this info is useful. John

    • #13930 Reply

      ch100

      One more for your ammunition Woody, Enterprise related though.
      It appears that Windows 2016 and Windows 10 when configured as KMS hosts, after a while reject the activation of Windows 7 KMS clients, considering them non-genuine. I don’t know the cause, but it appears to affect machines which were offline for about 2 weeks or longer, which should not happen. This became obvious after the Christmas & New Year’s break when many people took extended leave. Maybe it happens within Microsoft too, although I am expecting that their employees are not allowed to use Windows 7 any longer. πŸ˜‰
      There is a manual fix for the affected machines by rearming the system (KMS activation does not have a limited number of rearming operations, as the counter is reset each time one such activation takes place). But there is no guarantee that it will not happen again.
      The solution proposed by Microsoft is to use older OS as KMS hosts until there will be a fix available. This may be related to the known crashes of the Windows 2016 Server role Volume Activation Services.
      https://social.technet.microsoft.com/Forums/en-US/98d40290-8dc3-4abe-89d0-36cf8c2971e0/windows-10-enterprise-kms-host-renders-windows-7-enterprise-kms-clients-not-genuine-?forum=win10itprosecurity

      And Microsoft’s workaround (from the same thread):

      blogs.technet.microsoft.com/askpfeplat/2016/10/24/kms-activation-for-windows-server-2016/

      “The recommendation at this point is to leave your existing KMS system alone. Whether it is running on Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2, continue to service the machine via security and quality updates. Allow your KMS system to activate down-level operating systems and Office installs (Windows 7, Windows Server 2008/2008 R2, and Office 2010). Utilize Active Directory Based Activation (ADBA) for all new clients (Windows 8, 8.1, Windows Server 2012, 2012 R2, 2016, Windows 10, Office 2013, and Office 2016).”

    • #13931 Reply

      woody
      Da Boss

      Good one. I just bumped it up to a main post.

    • #13932 Reply

      Ben

      We have the same issue and was not sure of the root cause until I found this article. I removed both 3205394 and 3207752.

    • #13933 Reply

      woody
      Da Boss

      Thx for the confirmation.

    • #13934 Reply

      ch100

      Thank you. πŸ™‚

    • #13935 Reply

      Debbie Zanet

      We have several techs with AD crashing and they all have KB3205394 installed. Those techs without it are fine. I removed the patch from my computer but it didn’t fix anything. Still crashing when I try to add users to a group. I found a mention of a December patch to Server 2012R2 not sure it is related. Could it be both the server patch and the Win7 patch need to be removed?
      See http://www.infoworld.com/article/3155264/microsoft-windows/december-windows-security-patches-crash-active-directory-admin-center.html

    • #13936 Reply

      Pacman

      I have this happening on a Windows 10 x64 station. Last week I fixed by removing KB3206632. Today Windows update installed KB3197356 and KB3213986 and I am having the same issue. Right now I am switching over to using ADUC which does not have this problem. I prefer ADAC, so hopefully Microsoft fixes this soon. I have reported this at Microsoft too – https://social.technet.microsoft.com/Forums/office/en-US/533a56c7-9412-43d4-a711-18fbe9035786/issues-with-adac-after-installing-december-2016-security-monthly-rollup?forum=winservergen

    • #13937 Reply

      woody
      Da Boss

      Make sure you report this on patchmanagement.org … lots of people there suffering from it.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Security patches KB 3205394, 3206632, 3205386 crash Active Directory Admin Center

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: