Microsoft Windows Server - Defect ID: WI916855
OpenSSH service failure after installing October 2024 security update

• No change history provided.

Impact: Users are experiencing OpenSSH failures after installing the October 2024 security update on affected systems. Originating KB URL: https://support.microsoft.com/en-us/topic/5044285 Originating KB Release Date: 2024-10-08T10:00:00-07:00 Originating Build: 22621.4317 Resolved KB URL: All Updates: ------------------------------------------------------ December 17, 2024 21:28 PM Following the installation of the October 2024 security update (KB5044285 (https://support.microsoft.com/help/5044285)), some customers report that the OpenSSH (https://learn.microsoft.com/windows-server/administration/openssh/openssh-overview) (Open Secure Shell) service fails to start, preventing SSH connections. The service fails with no detailed logging, and manual intervention is required to run the sshd.exe process. This issue is affecting both enterprise, IOT, and education customers, with a limited number of devices impacted. Microsoft is investigating whether consumer customers using Home or Pro editions of Windows are affected. Workaround: Customers can temporarily resolve the issue by updating permissions (ACLs) on the affected directories. Follow these steps: 1. Open PowerShell as an Administrator. 2. Update the permissions for C:\ProgramData\ssh and C:\ProgramData\ssh\logs to allow full control for SYSTEM and the Administrators group, while allowing read access for Authenticated Users. You can restrict read access to specific users or groups by modifying the permissions string if needed. Use the following commands to update the permissions: $directoryPath = "C:\ProgramData\ssh" $acl = Get-Acl -Path $directoryPath $sddlString = "O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)" $securityDescriptor = New-Object System.Security.AccessControl.RawSecurityDescriptor $sddlString $acl.SetSecurityDescriptorSddlForm($securityDescriptor.GetSddlForm("All")) Set-Acl -Path $directoryPath -AclObject $acl 3. Repeat the above steps for C:\ProgramData\ssh\logs. Next steps: Microsoft is actively investigating the issue and will provide a resolution in an upcoming Windows update. Further communications will be provided when a resolution or additional workarounds are available. Affected platforms: - Client: Windows 11, version 24H2; Windows 11, version 23H2; Windows 11, version 22H2; Windows 10, version 22H2; Windows 10, version 21H2 - Server: Windows Server 2022; Windows Server 2019; Windows Server 2025; Windows Server 23H2 Click here (https://admin.microsoft.com/Adminportal/Home?#/windowsreleasehealth/:/wrhpreferences) to manage email notifications for Windows known issues ------------------------------------------------------ December 07, 2024 01:31 AM Following the installation of the October 2024 security update (KB5044285 (https://support.microsoft.com/help/5044285)), some customers report that the OpenSSH (https://learn.microsoft.com/windows-server/administration/openssh/openssh-overview) (Open Secure Shell) service fails to start, preventing SSH connections. The service fails with no detailed logging, and manual intervention is required to run the sshd.exe process. This issue is affecting both enterprise, IOT, and education customers, with a limited number of devices impacted. Microsoft is investigating whether consumer customers using Home or Pro editions of Windows are affected. Workaround: Customers can temporarily resolve the issue by updating permissions (ACLs) on the affected directories. Follow these steps: 1. Open PowerShell as an Administrator. 2. Update the permissions for C:\ProgramData\ssh and C:\ProgramData\ssh\logs to allow full control for SYSTEM and the Administrators group, while allowing read access for Authenticated Users. You can restrict read access to specific users or groups by modifying the permissions string if needed. Use the following commands to update the permissions: $directoryPath = "C:\ProgramData\ssh" $acl = Get-Acl -Path $directoryPath $sddlString = "O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)" $securityDescriptor = New-Object System.Security.AccessControl.RawSecurityDescriptor $sddlString $acl.SetSecurityDescriptorSddlForm($securityDescriptor.GetSddlForm("All")) Set-Acl -Path $directoryPath -AclObject $acl 3. Repeat the above steps for C:\ProgramData\ssh\logs. Next steps: Microsoft is actively investigating the issue and will provide a resolution in an upcoming Windows update. Further communications will be provided when a resolution or additional workarounds are available. Affected platforms: - Client: Windows 11, version 23H2; Windows 11, version 22H2 - Server: Windows Server 2019; Windows Server 2022 Click here (https://admin.microsoft.com/Adminportal/Home?#/windowsreleasehealth/:/wrhpreferences) to manage email notifications for Windows known issues ------------------------------------------------------ October 23, 2024 19:19 PM Following the installation of the October 2024 security update (KB5044285 (https://support.microsoft.com/help/5044285)), some customers report that the OpenSSH (https://learn.microsoft.com/windows-server/administration/openssh/openssh-overview) (Open Secure Shell) service fails to start, preventing SSH connections. The service fails with no detailed logging, and manual intervention is required to run the sshd.exe process. This issue is affecting both enterprise, IOT, and education customers, with a limited number of devices impacted. Microsoft is investigating whether consumer customers using Home or Pro editions of Windows are affected. Workaround: Customers can temporarily resolve the issue by updating permissions (ACLs) on the affected directories. Follow these steps: 1. Open PowerShell as an Administrator. 2. Update the permissions for C:\ProgramData\ssh and C:\ProgramData\ssh\logs to allow full control for SYSTEM and the Administrators group, while allowing read access for Authenticated Users. You can restrict read access to specific users or groups by modifying the permissions string if needed. Use the following commands to update the permissions: $directoryPath = "C:\ProgramData\ssh" $acl = Get-Acl -Path $directoryPath $sddlString = "O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)" $securityDescriptor = New-Object System.Security.AccessControl.RawSecurityDescriptor $sddlString $acl.SetSecurityDescriptorSddlForm($securityDescriptor.GetSddlForm("All")) Set-Acl -Path $directoryPath -AclObject $acl 3. Repeat the above steps for C:\ProgramData\ssh\logs. Next steps: Microsoft is actively investigating the issue and will provide a resolution in an upcoming Windows update. Further communications will be provided when a resolution or additional workarounds are available. Affected platforms: - Client: Windows 11, version 23H2; Windows 11, version 22H2 - Server: None ------------------------------------------------------ October 23, 2024 18:14 PM Following the installation of the October 2024 security update (KB5044285 (https://support.microsoft.com/help/5044285)), some customers report that the OpenSSH (https://learn.microsoft.com/windows-server/administration/openssh/openssh-overview) (Open Secure Shell) service fails to start, preventing SSH connections. The service fails with no detailed logging, and manual intervention is required to run the sshd.exe process. This issue is affecting both enterprise, IOT, and education customers, with a limited number of devices impacted. Microsoft is investigating whether consumer customers using Home or Pro editions of Windows are affected. Workaround: Customers can temporarily resolve the issue by adjusting permissions in the affected directories. Follow these steps: 1. Open PowerShell as an Administrator. 2. Navigate to the directories with the following commands: <pre class="ql-syntax ql-indent-1" spellcheck="false">cd C:\ProgramData\ssh cd C:\ProgramData\ssh\logs 1. Ensure that only SYSTEM and Administrators have write access. Non-administrators should have read-only access. You can apply permissions using the following steps: - Get the current Access Control List (ACL): <pre class="ql-syntax ql-indent-1" spellcheck="false">Get-Acl C:\ProgramData\ssh - Set permissions: <pre class="ql-syntax ql-indent-1" spellcheck="false">$Acl.SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators", "FullControl", "Allow"))) - Apply the ACL to the directory: <pre class="ql-syntax ql-indent-1" spellcheck="false">Set-Acl C:\ProgramData\ssh $Acl - Repeat the same steps for C:\ProgramData\ssh\logs. Next steps: Resolution: Affected platforms: - Client: Windows 11, version 23H2; Windows 11, version 22H2 - Server: None