SOLVED

January 2022 Quality Update Breaks VPN Connections

Brass Contributor

A couple forum posts:

Re: Client VPN Error After January Windows Updates - The Meraki Community

 

KB5009543 - January 11, 2022 Breaks L2TP VPN Connections : sysadmin (reddit.com)

 

These clearly outline the issue with the latest updates breaking VPN connectivity for many Meraki VPN systems (and perhaps others). Rolling back the update resolves the issue.

 

A couple questions for the Windows update team:

1. Any idea when Microsoft will be able to review, confirm and correct this issue?

2. If Microsoft were to release a fix for this part way through the month, how would you typically recommend this get deployed? Windows update for Business doesn't allow us to control/deploy anything other than the Feature and Quality updates. Is the recommendation to just remain unpatched until the February Quality update catches things up and presumably includes a fix for the VPN issue?

31 Replies
Have just discovered this. Please let us know when we can expect a fix.

@Theo_Stauffer 

 

Morning,

Currently the work around is to uninstall the windows update (KB5009543), once uninstalled you will then need to restart your PC. After you have done this you will then be able to connect to the VPN.

 

Once you have tested the VPN connection and it was successful I would suggest to run "wushowhide" and hide the update so it doesn't reinstall until a fix has been released, however you don't need to do this bit for the VPN to work.

 

This is just a work around until a fix has been released for this issue.

 

Regards

@Atticraider 
Attempts to uninstall using elevated command prompt and attempts to restore to a restore point both fail on my win10 desktop that I need to access my employer's network over l2tp (ipsec) using windows client. Is there another work around. I need this to continue in my job.

Thank you for sharing this is a known issue and Microsoft is aware of it and is working on the fix. As a workaround you may disable the "Vendor ID" in the VPN server (note not all VPN servers have this option).
In case it didn't work, you may uninstall the update.
Take a look at:
https://support.microsoft.com/en-us/topic/january-11-2022-kb5009566-os-build-22000-434-eee797fa-5ee3...

The option to be renoved from IPsec server's response is Vendor ID (instead of Vector ID), according to the referred link, but there are dozens of vendor ids, with different purposes each, that are exchanged between the client an the server. For example, to negotiate dead peer detection, tunnel over NAT, Xauth authentication, many really needed to establish a tunnel. I'll try to test some configuration on server side to try to disable some.

Microsoft is working on it and they will share update soon.

Can someone detail how we can disable Vendor ID?@BrianG-PPN 

Now we are uninstalling KB50095643 and pausing the update. on each client devices
Microsoft, this is kind of critical and certainly not only for us. Our VPN does not expose any Vendor ID that can be disabled and we have 60% of our company in home office due to the pandemic. Uninstalling the security update and pausing updates for 7 days is not a good solution. Please expedite a fix.

@Theo_Stauffer good news, MS released a patch yesterday and it worked for me. you can let your windows updates go through and KB5010793 will fix the issue that was introduced by KB5009543

Thank you so much. I really appreciate that Microsoft managed to get a fix out this rapidly.
Like I mentioned earlier Microsoft has been working on this issue and they released an update to fix it and in case you update your Windows , it will fix the issue.
Take a look at:
https://support.microsoft.com/en-us/topic/january-17-2022-kb5010793-os-builds-19042-1469-19043-1469-...
Microsoft still doesn't release these out of band updates via the Windows Update for Business release channel which is how we distribute all of our updates (using update rings in Intune). Why is this not able to be deployed and managed through Microsoft's native tools that they seem to recommend so strongly for cloud-based update management?
This is like emergency update and only those affected should download it. It will be available in next cumulative update.
I understand that it's an emergency update but we *are* affected and we manage our updates exclusively through Intune update rings in the cloud (we don't have on-prem infrastructure to assist with this).

In these emergency update cases we're now stuck either remaining unpatched for the rest of the month (not ideal from a security perspective) or we would resume our updates and then manually connect to each computer and install the update we manually download from the Windows Update catalogue. You can see how that's not really ideal, right? Now that the patch is out and fixed it would be ideal if we could push that out via Intune update rings to get users fully patched and fully functional.

@BrianG-PPN I can confirm the update works, but I got really surprised it is not released as critical update, as it does not seems reasonable Microsoft stop half the companies in the world and does not releases it to automatic applying. Testing, I installed all updates (as I asked all my customers to do) and the bug was there. So I could see one must choose the "Optional Updates", click on the bug correction and apply it manually. It will keep a lot of enterprises, where a technician cannot come computer by computer, in the Cave Era for some time yet.

The update works however when using Windows Update for Business the "Optional Updates" section within the Windows Update tool is not available so this isn't an option for distributing the updates. If you navigate to the page describing the out of band update here: https://support.microsoft.com/en-us/topic/january-17-2022-kb5010795-os-build-22000-438-out-of-band-2... you can see (in the How to Get This Update section under Windows Update for Business) that it's not available through that release channel. So the behaviour is apparently "as designed" or "expected" but frustrating when we have an OOB update that we'd like to distribute efficiently.
best response confirmed by BrianG-PPN (Brass Contributor)
Solution
Yes, your argument is valid.
As a workaround you may use "Win32 app management" in Microsoft Intune and download the package from the Microsoft Update Catalogue and then deploy it using the Microsoft Intune, take a look at:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-deploy-update-package
I know it is a bit challenging but it is possible to deploy updates in the Microsoft Intune too.

@BrianG-PPN I've got the exact same issue. It's frustrating as using WU4B is what MS recommend for a company like ours and now we are getting the worst experience when it comes to resolving an issue they have introduced.

I've also found pausing the update rings has not stopped this update from going out to some users.

1 best response

Accepted Solutions
best response confirmed by BrianG-PPN (Brass Contributor)
Solution
Yes, your argument is valid.
As a workaround you may use "Win32 app management" in Microsoft Intune and download the package from the Microsoft Update Catalogue and then deploy it using the Microsoft Intune, take a look at:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-deploy-update-package
I know it is a bit challenging but it is possible to deploy updates in the Microsoft Intune too.

View solution in original post