Patch Tuesday updates spark errors when creating Hyper-V VMs
Something's broken, mom! Microsoft offers workaround while trying to think up a fix
Updates to Windows Server that were included in Microsoft's Patch Tuesday batch of fixes this week could trip up users who want to spin up new virtual machines in some Hyper-V hosts.
The software giant is warning the problem can arise after installing the KB5021249 or KB5021237 updates on Windows Server or Azure Stack HCI hosts that are managed by System Center Virtual Machine Manager (SCVMM) and are in software-defined networking (SDN)-enabled environments with a network controller.
The issue affects Windows Server 2019 and Windows Server 2022.
Windows administrators trying to create "a new Network Adapter (also called a Network Interface Card or NIC) joined to a VM network or a new Virtual Machine (VM) with a Network Adapter joined to a VM network" could see errors pop up, Microsoft engineers wrote in an update in the Windows Health Dashboard.
Windows admins may get messages warning about Ethernet connection errors when creating a new VM or network adapter on an existing VM, if an SDN software load balancer service fails, or if an SDN RAS Gateway service fails, according to Microsoft.
Existing VMs with existing network adapters won't have connection issues after installing the update, the company said. Only new network adapters created after installing KB502129 will be affected.
- Windows Server domain controllers may stop, restart after recent updates
- Microsoft's attempts to harden Kerberos authentication broke it on Windows Servers
- Microsoft squashes six security bugs already exploited in the wild
- Unofficial fix emerges for Windows bug abused to infect home PCs with ransomware
Microsoft engineers are working on a fix for the problem that will be included in an upcoming release. In the meantime, the company has developed a workaround.
Users can open an elevated PowerShell window on all SCVMM-managed Hyper-V hosts by hitting the Start button and typing "powershell," then right clicking or long pressing on it. They can then select "Run as Administrator" and run the following commands:
$lang = (Get-WinSystemLocale).Name
C:\Windows\system32\wbem\mofcomp.exe C:\Windows\system32\wbem\en-US\VfpExt.mfl
C:\Windows\system32\wbem\mofcomp.exe C:\Windows\system32\wbem\VfpExt.mof
In addition, they can find a script for the workaround for large-scale deployments and a post-install script to be integrated with patching tools. Both scripts are available here.
Users don't have to reboot a system after applying the workaround, according to Microsoft. ®
Speaking of Microsoft... The Windows giant said on Tuesday it has suspended several third-party developer accounts that submitted malicious operating system hardware drivers for Microsoft to cryptographically sign. It has also, we're told, taken steps to block the use of this code.
Those drivers, once approved by Microsoft, would be trusted by people's Windows PCs, and could be used by miscreants on compromised machines to help fully take over systems. Essentially, someone would find a way to get onto a victim's computer, gain admin access, and then load one of these drivers to achieve further control over the system.
As discovered, disclosed to Microsoft, and this week publicly detailed by SentinelOne, Mandiant, and Sophos, cybercrime crews successfully managed to get their malicious drivers certified by Microsoft via its Windows Hardware Developer Program.
This includes a so-called POORTRY kernel-mode driver that would be used to kill off security and antivirus tools on the compromised Windows PC. This code was, it's reported, used to help infect networks with ransomware. It's said that the Hive gang and others made use of the drivers.
It would be great if Microsoft didn't approve malicious drivers submitted to its developer programs. "Microsoft Partner Center is also working on long-term solutions to address these deceptive practices and prevent future customer impacts," the biz said.