Microsoft has released an out of band update to fix the memory leak issues with the lsass process on Domain Controllers after applying the March 2024 cumulative update. Microsoft strongly recommends that the latest servicing stack updates are installed before applying the out of band patch.
This out of band patch is a cumulative update and can be installed in place of the normal March cumulative update that is published on Windows Update / local WSUS server. If you want this patch in WSUS you will have to side load it yourself.
We have confirmed in our testing environment that the lsass memory process was starting to creep up. We removed the March cumulative update and applied the out of band patch in our test environment and so far all seems good.
The below is copied from the Windows Message Center as of today. (Link below)
https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3143
Out-of-band updates to address a Windows Server domain controller issue
Updated March 25, 2024
Microsoft has identified an issue that affects Windows Server domain controllers (DCs), and has expedited a resolution that can be applied to affected devices. Out-of-band (OOB) updates have been released for some versions of Windows today, March 22, 2024, to addresses this issue related to a memory leak in the Local Security Authority Subsystem Service (LSASS). This occurs when on-premises and cloud-based Active Directory domain controllers service Kerberos authentication requests.
This issue is not expected to impact Home users, as it is only observed in some versions of Windows Server. Domain controllers are not commonly used in personal and home devices.
Updates are available on the Microsoft Update Catalog only. These are cumulative updates, so you do not need to apply any previous update before installing them, and they supersede all previous updates for affected versions. If your organization uses the affected server platforms as DCs and you haven’t deployed the March 2024 security updated yet, we recommend you apply this OOB update instead. For more information and instructions on how to install this update on your device, consult the below resources for your version of Windows:
- Windows Server 2022: KB5037422
- Windows Server 2019: KB5037425
- Windows Server 2016: KB5037423
- Windows Server 2012 R2: KB5037426
As of March 25, 2024, all affected versions have been addressed via the updates above.