BugZero | Microsoft Windows Server BugID WI926820 - Domain controllers may experience high LSASS CPU u...

Microsoft Windows Server - Defect ID: WI926820

Domain controllers may experience high LSASS CPU usage

Microsoft Windows Server - Defect ID: WI926820

Domain controllers may experience high LSASS CPU usage

Last updated on 12/16/2024

Overall: 7.87.8

Community: 5.85.8

Lifecycle: 8.48.4

What is the BugZero Risk Score?

Vendor details

Priority: Unspecified
Status: Mitigated

Overall: 7.87.8

Community: 5.85.8

Lifecycle: 8.48.4

What is the BugZero Risk Score?

Vendor details

Priority: Unspecified
Status: Mitigated

Impact: Enterprise DCs may see high LSASS CPU usage with RDS Licensing Servers Originating KB URL: https://support.microsoft.com/en-us/topic/5046617 Originating KB Release Date: 2024-11-12T10:00:00-08:00 Originating Build: 26100.2314 Resolved KB URL: All Updates: ------------------------------------------------------ December 16, 2024 22:10 PM After Remote Desktop Services (https://learn.microsoft.com/windows-server/remote/remote-desktop-services/remote-desktop-services-overview) (RDS) Licensing servers are patched with the Windows security updates released September 10, 2024 (KB5046617 (https://aka.ms/WinServer2025/5046617)) or later, domain controllers (DCS) might experience high CPU utilization in the Local Security Authority Subsystem Service (https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/?msockid=2a19c4d575ce66a32f57d018747467bb) (LSASS) process. The issue occurs due to Lightweight Directory Access Protocol (https://learn.microsoft.com/previous-versions/windows/desktop/ldap/what-is-ldap) (LDAP) query tasks issued by (RDS) License Servers that must use attributes that are not indexed by default. This high CPU usage on DCs is particularly noticeable in environments with many RDS user logons. It is important to note that no update on the domain controllers (DCs) themselves is causing this issue. Instead, the problem arises when an updated RDS Licensing Server (RDLS)—patched with 9B or later—communicates with the DC. This issue is specific to enterprise customers that have deployed RDS Licensing Servers and Active Directory domain controllers used in business and commercial environments. Workaround: To prevent high CPU usage on Domain Controllers (DCs) after installing the September 2024 security update on RDS Licensing Servers, follow these steps to index the DNSHostname attribute in Active Directory as a prerequisite. Important: This indexing step must be completed before applying the update. It only needs to be done once. To complete the indexing, follow these steps: 1. Open the Microsoft Management Console (MMC): a. Right-click the Start button, select Run, and type mmc, then press Enter. 2. Add the Active Directory Schema Snap-in: b. In MMC, go to File > Add/Remove Snap-in. c. Select Active Directory Schema from the list of available snap-ins and click Add, then click OK. 3. Navigate to the Attributes Section: d. In the left-hand pane, click Attributes under the Active Directory Schema. 4. Locate and Select the DNSHostname Attribute: e. In the right-hand pane, find the DNSHostname attribute, right-click it, and select Properties. 5. Enable Indexing: f. Check the box next to "Index this attribute in Active Directory," and click Apply. 6. Close the Console: g. Close the Active Directory Schema snap-in once you've completed the changes. For detailed instructions on indexing attributes, refer to Microsoft Community Hub – Indexing in Active Directory (#). Next steps: We are investigating this issue and will provide more information when available. We recommend you install the latest update for your devices as it contains important improvements and issue resolutions. Affected platforms: - Client: Windows 11, version 24H2 - Server: - Windows Server 2012 - Windows Server 2012 R2 - Windows Server 2016 - Windows Server 2019 - Windows Server 2022 - Windows Server, Version 23H2 - Windows Server 2025 ------------------------------------------------------ November 12, 2024 18:05 PM After Windows Server 2025 has been installed on Remote Desktop Services (https://learn.microsoft.com/windows-server/remote/remote-desktop-services/remote-desktop-services-overview) (RDS) Licensing servers, domain controllers (DCS) might experience high CPU utilization in the Local Security Authority Subsystem Service (https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/?msockid=2a19c4d575ce66a32f57d018747467bb) (LSASS) process. The issue occurs due to Lightweight Directory Access Protocol (https://learn.microsoft.com/previous-versions/windows/desktop/ldap/what-is-ldap) (LDAP) query tasks issued by (RDS) License Servers that must use attributes that are not indexed by default. This high CPU usage on DCs is particularly noticeable in environments with many RDS user logons. It is important to note that no update on the domain controllers themselves is causing this issue. Instead, the problem arises when an updated RDS Licensing Server—patched with 9B or later—communicates with the DC. This issue is specific to enterprise customers that have deployed RDS Licensing Servers and Active Directory domain controllers used in business and commercial environments. Workaround: To prevent high CPU usage on Domain Controllers (DCs) after installing the September 2024 security update on RDS Licensing Servers, follow these steps to index the DNSHostname attribute in Active Directory as a prerequisite. Important: This indexing step must be completed before applying the update. It only needs to be done once. To complete the indexing, follow these steps: 1. Open the Microsoft Management Console (MMC): a. Right-click the Start button, select Run, and type mmc, then press Enter. 2. Add the Active Directory Schema Snap-in: b. In MMC, go to File > Add/Remove Snap-in. c. Select Active Directory Schema from the list of available snap-ins and click Add, then click OK. 3. Navigate to the Attributes Section: d. In the left-hand pane, click Attributes under the Active Directory Schema. 4. Locate and Select the DNSHostname Attribute: e. In the right-hand pane, find the DNSHostname attribute, right-click it, and select Properties. 5. Enable Indexing: f. Check the box next to "Index this attribute in Active Directory," and click Apply. 6. Close the Console: g. Close the Active Directory Schema snap-in once you've completed the changes. For detailed instructions on indexing attributes, refer to Microsoft Community Hub – Indexing in Active Directory (#). Affected platforms: - Client: None - Server: Windows Server 2025; Windows Server, version 23H2; Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2, Windows Server 2008 SP2 Click here (https://admin.microsoft.com/Adminportal/Home?#/windowsreleasehealth/:/wrhpreferences) to manage email notifications for Windows known issues ------------------------------------------------------ November 06, 2024 21:15 PM After Remote Desktop Services (https://learn.microsoft.com/windows-server/remote/remote-desktop-services/remote-desktop-services-overview) (RDS) Licensing servers are patched with the Windows security updates released September 10, 2024 () or later, domain controllers (DCS) might experience high CPU utilization in the Local Security Authority Subsystem Service (https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/?msockid=2a19c4d575ce66a32f57d018747467bb) (LSASS) process. The issue occurs due to Lightweight Directory Access Protocol (https://learn.microsoft.com/previous-versions/windows/desktop/ldap/what-is-ldap) (LDAP) query tasks issued by (RDS) License Servers that must use attributes that are not indexed by default. This high CPU usage on DCs is particularly noticeable in environments with many RDS user logons. It is important to note that no update on the domain controllers themselves is causing this issue. Instead, the problem arises when an updated RDS Licensing Server—patched with 9B or later—communicates with the DC. This issue is specific to enterprise customers that have deployed RDS Licensing Servers and Active Directory domain controllers used in business and commercial environments. Workaround: To prevent high CPU usage on Domain Controllers (DCs) after installing the September 2024 security update on RDS Licensing Servers, follow these steps to index the DNSHostname attribute in Active Directory as a prerequisite. Important: This indexing step must be completed before applying the update. It only needs to be done once. To complete the indexing, follow these steps: 1. Open the Microsoft Management Console (MMC): a. Right-click the Start button, select Run, and type mmc, then press Enter. 2. Add the Active Directory Schema Snap-in: b. In MMC, go to File > Add/Remove Snap-in. c. Select Active Directory Schema from the list of available snap-ins and click Add, then click OK. 3. Navigate to the Attributes Section: d. In the left-hand pane, click Attributes under the Active Directory Schema. 4. Locate and Select the DNSHostname Attribute: e. In the right-hand pane, find the DNSHostname attribute, right-click it, and select Properties. 5. Enable Indexing: f. Check the box next to "Index this attribute in Active Directory," and click Apply. 6. Close the Console: g. Close the Active Directory Schema snap-in once you've completed the changes. For detailed instructions on indexing attributes, refer to Microsoft Community Hub – Indexing in Active Directory (#). Next steps: We are investigating this issue and will provide more information when available. We recommend you install the latest update for your devices as it contains important improvements and issue resolutions. Affected platforms: - Client: None - Server: Windows Server 2025; Windows Server, version 23H2; Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2, Windows Server 2008 SP2 ------------------------------------------------------ November 06, 2024 20:45 PM After Remote Desktop Services (https://learn.microsoft.com/windows-server/remote/remote-desktop-services/remote-desktop-services-overview) (RDS) Licensing servers are patched with the Windows security updates released September 10, 2024 () or later, domain controllers (DCS) might experience high CPU utilization in the Local Security Authority Subsystem Service (https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/?msockid=2a19c4d575ce66a32f57d018747467bb) (LSASS) process. The issue occurs due to Lightweight Directory Access Protocol (https://learn.microsoft.com/previous-versions/windows/desktop/ldap/what-is-ldap) (LDAP) query tasks issued by (RDS) License Servers that must use attributes that are not indexed by default. This high CPU usage on DCs is particularly noticeable in environments with many RDS user logons. It is important to note that no update on the domain controllers (DCs) themselves is causing this issue. Instead, the problem arises when an updated RDS Licensing Server (RDLS)—patched with 9B or later—communicates with the DC. This issue is specific to enterprise customers that have deployed RDS Licensing Servers and Active Directory domain controllers used in business and commercial environments. Workaround: To prevent high CPU usage on Domain Controllers (DCs) after installing the September 2024 security update on RDS Licensing Servers, follow these steps to index the DNSHostname attribute in Active Directory as a prerequisite. Important: This indexing step must be completed before applying the update. It only needs to be done once. To complete the indexing, follow these steps: 1. Open the Microsoft Management Console (MMC): a. Right-click the Start button, select Run, and type mmc, then press Enter. 2. Add the Active Directory Schema Snap-in: b. In MMC, go to File > Add/Remove Snap-in. c. Select Active Directory Schema from the list of available snap-ins and click Add, then click OK. 3. Navigate to the Attributes Section: d. In the left-hand pane, click Attributes under the Active Directory Schema. 4. Locate and Select the DNSHostname Attribute: e. In the right-hand pane, find the DNSHostname attribute, right-click it, and select Properties. 5. Enable Indexing: f. Check the box next to "Index this attribute in Active Directory," and click Apply. 6. Close the Console: g. Close the Active Directory Schema snap-in once you've completed the changes. For detailed instructions on indexing attributes, refer to Microsoft Community Hub – Indexing in Active Directory (#). Next steps: We are investigating this issue and will provide more information when available. We recommend you install the latest update for your devices as it contains important improvements and issue resolutions. Affected platforms: - Client: None - Server: - Windows Server 2008 R2 - Windows Server 2008 SP2 - Windows Server 2012 - Windows Server 2012 R2 - Windows Server 2016 - Windows Server 2019 - Windows Server 2022 - Windows Server, Version 23H2 - Windows Server 2025

Original Vendor Announcement

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Microsoft Windows Server - Defect ID: WI926820

Domain controllers may experience high LSASS CPU usage

Microsoft Windows Server - Defect ID: WI926820

Domain controllers may experience high LSASS CPU usage

Last updated on 12/16/2024

Vendor details

Vendor details

Description

Links

Top Microsoft Windows Server defects by risk score

Ready to prevent the next vendor outage?