KB3213986 Causes Logon Failures When Starting BITS Service - Please fix
After installing update KB3213986 on Server 2016 Desktop Experience, a failed logon is logged every time the BITS service is started.
Failed Logon Event:
Log Name: Security
Date: 2/27/2017 1:27:10 PM
Event ID: 4625
Task Category: Logon
Keywords: Audit Failure
An account failed to log on.
Security ID: SYSTEM
Account Name: PLB-DXX-TP01$
Account Domain: DEV-PRODUCTS
Logon ID: 0x3E7
Logon Type: 5
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: -
Account Domain: -
Failure Reason: An Error occured during Logon.
Sub Status: 0xC0000073
Caller Process ID: 0x49c
Caller Process Name: C:\Windows\System32\svchost.exe
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Removing the update resolves the issue. I've tested this on multiple fresh installs of Windows Server 2016 from media.
The failed logon is problematic because it triggers false-positives in our monitoring solutions.
The issue is easily reproducible.
This is fixed in all OS versions as of March 22, 2018. Patch info:
Windows 10 version 1607 and Windows Server 2016 - KB4088889 (https://support.microsoft.com/en-us/help/4088889)
Windows 10 version 1703 - KB4088891 (https://support.microsoft.com/en-us/help/4088891)
Windows 10 version 1709 - KB4089848 (https://support.microsoft.com/en-us/help/4089848)
Shyam Soni commented
Still getting same event on Windows Server 2016 version 1607 (build 14393.2097)
Will this be released as a patch vs an OS release?
This issue is fixed in Windows 10 Insider Preview Build 17074: https://blogs.windows.com/windowsexperience/2018/01/11/announcing-windows-10-insider-preview-build-17074-pc/#hXEdwUJ5Qfgakev3.97
Stay tuned for further updates.
Jarrod Picha commented
Is there an anticipated timeframe for a fix on this issue? I can still replicate it at will by turning the BITS service on and off.
We are seeing it across numerous computers at this point and triggering alerts on our security monitoring system.
The product team is aware of the issue and actively working on a fix.
Curtis Gray commented
MS is more like Apple every day. Charge more. Deliver quantity instead of quality. Could seemingly care less about impact of updates to business or the associated disruption of IT staff. Wouldn't it be great if fixes were rigorously tested across all the platforms affected before deployment? All I can figure is they must Linux to do their development so they can have a stable platform. If Bill came to work and rebooted his computer because an update required it, and wasn't able to use it again for several hours while it installed, or several services were broken because of the update, without warning and, in many cases, no way to easily retreat, and it affected hundreds or thousands of his users such that IT had to stop doing everything to do triage on an update, I wonder how well that would go over.
Agreed, i'm seeing this as well across numerous computers. I haven't found anything unique about the situation other than being Windows 10 laptops.
Mark Studer commented
@Ned Pyle - Any update on this? It's been broken for 7 months now.
This issue has also impacted my monitoring efforts. Considering moving my server back to Linux OS.
Velvet Thunder commented
Still getting this one with a new Server 2016 RDS build. Has anyone found a fix?
Namey McNameface commented
Is there an update? This error is annoying.
Same problem on Windows 10 Enterprise, Creators Update, patched with June 2017 updates.
The issue unfortunately is still there...
I am seeing this issue with multiple windows 10 pro desktops. We do not have that KB installed but I can stop and start the Bits services and the log is sent to our SIEM
Generic Name commented
We are seeing this behavior as well, we are getting multiple alerts per day from our SIEM platform.
Matt Soler commented
I too am having this issue with two 2016 domain controllers.
Richad H. Shores commented
Having same issue after installing update.
Thanks, I've reached out the BITS owners for comment. I may also email you further, depending on their reply, please keep an eye on that inbox.