Security patches KB 3205394, 3206632, 3205386 crash Active Directory Admin Center

Topic

New Reply

Reports are spreading. InfoWorld Woody on Windows So, anybody care to guess how Microsoft will handle this problem? We appear to have three Win10 cumu
[See the full post at: Security patches KB 3205394, 3206632, 3205386 crash Active Directory Admin Center]

Reply | Quote

Replies

they will either fix it in the next patch tuesday updates, or later with catalog-only updates

Win7/8.1 propably will get it in the next “Preview Rollup”

Reply | Quote

Let’s see if MS fixes a buggy security-only update with a non security-only patch!

I’m not holding my breath for a good outcome.

Reply | Quote

Hey Woody,

I reluctantly installed KB 3205400 for Windows 8.1, mostly based on your approval of it. I haven’t had anything specific happen except occasionally my browser doesn’t load the correct web page, or it does so very slowly.

Also, I had to re-install the update of an IDE I use because it had reduced functionality. After re-installation, things were back to normal. The hash table wasn’t checked since this was a mostly automatic update.

I don’t know if this is related to KB 3205400 or not.
The above quirks happened after I installed the update.

Glad to see that you are back from vacation. Happy New Year!

Reply | Quote

Should we uninstall 3205394 update. W7 Home. Group B

Reply | Quote

Absolutely not.

Reply | Quote

Not sure what’s causing the quirks, but you’re fine with 3205400.

Reply | Quote

“admins have a straightforward choice: Use Active Directory Admin Center to edit users/groups, or remove all December security patches.”

Shouldn’t this read, “DON’T use …, or remove …”?

Reply | Quote

Nope. If they have December patches applied (at least the ones that have already been tracked down and identified as problematic), they can’t use ADAC to edit users or groups. It’ll crash on save. If they want to use ADAC, they have to uninstall the December patches.

Reply | Quote

Active Directory Admin Center is not in wide use, although it is the current Microsoft recommended method for administering Active Directory. Most administrators prefer to use the classic consoles known since Windows 2000.
SCCM console breaking may be an issue, but again, this depends on where the management console is installed.
I think abbodi86 has already provided the answer for the likely methods to fix the current issues.

Reply | Quote

@Woody
“Based on the crashing module name, kernelbase.dll, I would point the finger at MS 16-151, the “Security Update for Windows Kernel-Mode Drivers,” which has become a monthly recurring theme of late.”

Weren’t the kernel driver updates the very last that were recommended to be installed by Susan Bradley in her newsletter? Now we don’t have the luxury to separate between different patches… so we should delay installing the whole lot, especially when there are unresolved issues.

Reply | Quote

I didn’t even realize I had ADAC on my workstation (after installing the RSAT’s) but lo and behold, there it is.
I do have the update (in this case, KB3206632), and it does indeed cause ADAC to crash when trying to make any changes.

In any event, a workaround is to use AD Users & Computers, which is also included in the RSAT’s and has the same functionality (as far as I can tell) as ADAC, in a more ‘clean’ package. I have no idea why they even came up with ADAC, other than typical Microsoft “reinvent the wheel when the wheel’s not broken” sense. I’m more familiar with ADUC anyway.

Reply | Quote

Agreed – but this issue didn’t crop up until very late in the game.

Reply | Quote

My comment was not intended against any recommendation to install or not. Was just related to the separation of the various patches which now come in a bundle.
However I still prefer the current and in particular the future approach with the rollups

Reply | Quote

This is what I said in another comment. Most admins do not use ADAC, but ADUC, AD Sites and Services, i.e. the classical tools.

Reply | Quote

I think ADAC has only one major feature not found in other tools except for using PowerShell, rarely used and hopefully never needed. It is about restoring deleted Active Directory objects from the Recycle Bin.

Reply | Quote

Exactly. So their choice is to NOT use ADAC, *or* remove December patches.

(Otherwise the first choice means no change!)

Reply | Quote

KB3205394 OR KB3207752 were causing a client’s machine not to boot correctly, it would cause the machine to state a hardware or software change has prevent windows from booting correctly and select repair- I would select the repair and then a Window Would appear and state the OS couldn’t be repaired, as soon as I removed these 2 updates the Machine hasn’t had a problem since.

So I’d definitely would be removing these updates period

Reply | Quote

Correct.

Reply | Quote

Hi. Auto update installed KB3206632 and completely screwed my Windows10 64bit system. Programs freeze, CCleaner cannot run on this level of windows and explorer hangs in folders and files. Re-boot only way to recover and ofcourse immediately problem reoccurs.
Autoupdate installed KB3206632 on 28Dec’16. Uninstalled this update and all was fine until Autoupdate again installed it on 5Jan’17.
Uninstalled for second time today 8Jan’17 and again problem solved. AutoUpdate service now disabled! Will now update every 3 months on duplicate system – if ok, this will become prod system – switching systems every 3 months if updates ok.
Hope this info is useful. John

Reply | Quote

One more for your ammunition Woody, Enterprise related though.
It appears that Windows 2016 and Windows 10 when configured as KMS hosts, after a while reject the activation of Windows 7 KMS clients, considering them non-genuine. I don’t know the cause, but it appears to affect machines which were offline for about 2 weeks or longer, which should not happen. This became obvious after the Christmas & New Year’s break when many people took extended leave. Maybe it happens within Microsoft too, although I am expecting that their employees are not allowed to use Windows 7 any longer.
There is a manual fix for the affected machines by rearming the system (KMS activation does not have a limited number of rearming operations, as the counter is reset each time one such activation takes place). But there is no guarantee that it will not happen again.
The solution proposed by Microsoft is to use older OS as KMS hosts until there will be a fix available. This may be related to the known crashes of the Windows 2016 Server role Volume Activation Services.
https://social.technet.microsoft.com/Forums/en-US/98d40290-8dc3-4abe-89d0-36cf8c2971e0/windows-10-enterprise-kms-host-renders-windows-7-enterprise-kms-clients-not-genuine-?forum=win10itprosecurity

And Microsoft’s workaround (from the same thread):

blogs.technet.microsoft.com/askpfeplat/2016/10/24/kms-activation-for-windows-server-2016/

“The recommendation at this point is to leave your existing KMS system alone. Whether it is running on Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2, continue to service the machine via security and quality updates. Allow your KMS system to activate down-level operating systems and Office installs (Windows 7, Windows Server 2008/2008 R2, and Office 2010). Utilize Active Directory Based Activation (ADBA) for all new clients (Windows 8, 8.1, Windows Server 2012, 2012 R2, 2016, Windows 10, Office 2013, and Office 2016).”

Reply | Quote

Good one. I just bumped it up to a main post.

Reply | Quote

We have the same issue and was not sure of the root cause until I found this article. I removed both 3205394 and 3207752.

Reply | Quote

Thx for the confirmation.

Reply | Quote

Thank you.

Reply | Quote

We have several techs with AD crashing and they all have KB3205394 installed. Those techs without it are fine. I removed the patch from my computer but it didn’t fix anything. Still crashing when I try to add users to a group. I found a mention of a December patch to Server 2012R2 not sure it is related. Could it be both the server patch and the Win7 patch need to be removed?
See http://www.infoworld.com/article/3155264/microsoft-windows/december-windows-security-patches-crash-active-directory-admin-center.html

Reply | Quote

I have this happening on a Windows 10 x64 station. Last week I fixed by removing KB3206632. Today Windows update installed KB3197356 and KB3213986 and I am having the same issue. Right now I am switching over to using ADUC which does not have this problem. I prefer ADAC, so hopefully Microsoft fixes this soon. I have reported this at Microsoft too – https://social.technet.microsoft.com/Forums/office/en-US/533a56c7-9412-43d4-a711-18fbe9035786/issues-with-adac-after-installing-december-2016-security-monthly-rollup?forum=winservergen

Reply | Quote

Make sure you report this on patchmanagement.org … lots of people there suffering from it.

Reply | Quote