Installing Microsoft's January 11th 2022 patch (KB5009624) is causing Windows Server to crash during User-ID Credential Agent Initiation

Upon installing Microsoft’s January 11th 2022 patch (KB5009624 ), Windows Server can crash during User-ID Credential agent initiation.

• User-ID Credential Agent installed on Windows Server version;

  • Windows Server 2012

  • Windows Server 2012 R2

  • Windows Server 2016

To collect credentials, the Credential Phishing Prevention agent needs to acquire a handle to LSASS application on the Windows Server. This issue occurs when UaCredService is trying to acquire a handle to LSASS application with permissions to modify its memory. 

When this issue occurs, the application event logs on the Windows Server will show an error related to LSASS application as shown below.  

(To view Application Event logs, open Control Panel, select System and Security, and then, in the Administrative Tools section, select View event logs. The Event Viewer window opens. In the console tree, navigate to Windows Logs, then Application).

Application Event logs 

A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000096. The machine must now be restarted.

02/11/22 14:09:17:618 [ Info 2055]: ------------Service is being started------------
02/11/22 14:09:17:620 [ Info 2062]: Os version is 6.2.0.
02/11/22 14:09:17:620 [ Info 389]: Load debug log level Info.
02/11/22 14:09:17:621 [ Info 247]: Service version is 10.1.0.21.
02/11/22 14:09:17:621 [ Info 392]: Product version is 1.
02/11/22 14:09:17:621 [ Info 313]: Named pipe for UaService created.
02/11/22 14:09:17:621 [Error 337]: UaService not ready. Unable to fetch config. 2 (The system cannot find the file specified.
)
02/11/22 14:09:17:622 [Error 423]: Unable to get initial config, retrying
02/11/22 14:09:22:626 [Error 337]: UaService not ready. Unable to fetch config. 2 (The system cannot find the file specified.
)
02/11/22 14:09:33:489 [Error 162]: lsa get handle OpenProcess SamSs failed.
02/11/22 14:09:33:504 [Error 716]: Unable to extract credentials.
02/11/22 14:09:34:735 [Error 162]: lsa get handle OpenProcess SamSs failed.

Our investigation into the issue determined that the root cause of this issue was a change to the Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016 operating system contained in the January 2022 patches. We were able to determine a path forward to address the issue requiring an upgrade to Windows Server 2019. 

To resolve this issue an administrator will need to upgrade the RODC that the credential phishing prevention agent is installed on to Windows Server 2019 and install one of the newly released agents.

The newly released agents are:

• 10.2.1
• 10.1.1
• 10.0.6
• 9.1.4

• To resolve the issue: 
  • The RODC that the Credential Phishing Prevention agent is installed on must be upgraded to Windows Server 2019
  • One of the new versions of the Credential Phishing Prevention agent must be installed:
    • 10.2.1
    • 10.1.1
    • 10.0.6
    • 9.1.4
• If you cannot upgrade your servers to Windows Server 2019 you can
  • Rollback patches released on or after January 2022 on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. 
  • Use one of the two other available credential phishing prevention methods
    • Group Mapping
    • IP User Mapping