KB5041578 Causes Windows Server 2019 to have very slow performance.

Question

For the many others who I know have seen this by now - KB5041578 on Windows Server 2019 causes extreme slowness with the following symptoms:

• Elevated CPU usage by the Cryptographic Services (CryptSvc)
• Elevated Disk writes to c:\windows\system32\catroot2\edb.log
• Very slow performance, with applications taking a very long time to launch, especially those requiring UAC/administrative elevation

Workaround:

• Rename catroot2 to catroot2.old prior to, or after installing this update

Method:

• Stop Bits, Wuauserv, CryptSvc
• If after installing the update, you will need to do a "taskkill /pid xxxx /f" based on the PID for CryptSvc which can be found with the following command:
• sc queryex servicename - sc queryex cryptsvc
• Rename c:\windows\system32\catroot2 to catroot2.old
• Restart the previously stopped services

I highly recommend disabling CryptSvc prior to stopping it, as it tends to start itself faster than you'll be able to rename the catroot2 folder. Don't forget to set it back to Automatic.

My questions:

• What is Microsoft doing about this? Will they reissue this patch? We're currently pulling it from our deployments.
• What other repercussions might be observed by renaming catroot2?

Answer 1

An MSI was provided to us from MS support. It is a KIR (known issue rollback) which allows the patch to be installed but rolls back the specific code that is causing the latency issues. When the MSI is ran, ADMX files are loaded on the endpoint. These also need copied to the Domain Controller ADMX files so a GPO can be created for it.

I have packaged this MSI in Tanium, it appears to be for generic use. Working on getting access to the rest of the enterprise.

FROM MICROSOFT SUPPORT ENGINEER:

This will disable the code change that got enabled via update shipped in August 13th (kb5041578).

KIR instructions:

1. Download the file from the above portal link
2. The installation of the MSI file will install ADMX and ADML files with filenames that provide insight about the name of the group policy setting that disables the regressing fix.
3. Configure the following KIR Group Policy Settings to “Disabled”

KIRS can be configured in Local policy or at enterprise scale in Domain Policy.

To configure the KIR in Local Group Policy, click on the start menu and type “gpedit.msc” + enter

Set the OS version-specific GP setting to "Disabled"

The default setting for KIR group policy settings is “Not Configured”.

Path<br><ol style="" type="1" start="3"><li style=""><p data-prewrap="true"><span style="">Computer Configuration -> Administrative Templates -> KB5041578 240816_2150 Known Issue Rollback -> Windows 10, version 1809 and Windows Server 2019</span></p></li></ol><br>Setting<br><ol style="" type="1" start="3"><li style=""><p data-prewrap="true"><span style="">KB5041578 240816_2150 Known Issue Rollback</span></p></li></ol><br>Value<br><ol style="" type="1" start="3"><li style=""><p data-prewrap="true"><span style="">Disabled</span></p></li></ol><br>Reboot Requirements<br><ol style="" type="1" start="3"><li style=""><p data-prewrap="true"><span style="">A reboot is required once the device has applied the KIR GP setting</span></p></li></ol>

1. Refresh policy then reboot
   KIR GP settings defined in local policy takes effect as soon as the KIR GP setting has been defined and the device rebooted.
   Devices applying KIR GP settings defined in domain policy must wait for domain controllers to replicate group policy changes in Active Directory and the SYSVOL followed by a background or manual group policy refresh, followed by a OS reboot to apply the KIR.
   Some customers may pre-populate the policy setting prior to installing a Windows Update so that the reboot triggered by the installation the Windows Update also "commits" the KIR.

Answer 2

Pretty bold assumption that all 2019 machines are in an AD domain and can be fixed this way. Reality says 1000s of 2019 machines are not in an AD domain so this solution is narrow minded.

Answer 3

Ive had a pretty good long IT career and this by far was one of the most obscure things I ever had the misfortune of being on call and having to remotely implement. This information saved a client of mine tonight from complete rollback. Thank you for posting this.

Answer 4

Hello,

Thank you for posting in Microsoft Community forum.

Based on the description, I understand your question is related to server 2019 update issue.

According to your description, this might related to below known issue caused by KB5041578.

Windows 10, version 1809 and Windows Server 2019 | Microsoft Learn

After installing the August 2024 Windows security update, released August 13, 2024 (KB5041578), you might observe that some Windows Server 2019 devices experience system slowdowns, unresponsiveness, and high CPU usage particularly with Cryptographic Services.

Resolution: This issue is resolved using Known Issue Rollback: Helping you keep Windows devices protected and productive - Microsoft Community Hub. IT administrators can resolve this issue by installing and configuring the special Group Policy listed below. The special Group Policy can be found in Computer Configuration -> Administrative Templates -> <Group Policy name listed below>.

For information on deploying and configuring these special Group Policy, please see Use Group Policy to deploy a Known Issue Rollback - Windows Client | Microsoft Learn

Have a nice day. 

Best Regards,

Molly

Answer 5

Group policy is old news. Many companies don't use AD anymore.