back to article Microsoft confesses April Windows update breaks some VPN connections

Microsoft admits that April's Windows update can potentially cause VPN connection failures in both Windows 10 and 11. The issue affects both the April 2024 security (KB5036893 for Windows 11, KB5036892 for Windows 10) installations and non-security preview updates. The security update was released on April 9, and Microsoft …

  1. Alien Doctor 1.1

    Slightly off topic...

    but seeing the mention in the article about windows services, can anyone advise me about any reputable sites that will list services under w10 that I can disable? I am only thinking of my gaming machine, not a work one.

    Many years ago I could handle editing config.sys and autoexec.bat to free up so many system resources my pc's ran so brilliantly; now it just appears to be such a mess under the hood that one mistaken change could result in a bricking.

    1. Mike 137 Silver badge

      Re: Slightly off topic...

      "now it just appears to be such a mess under the hood that one mistaken change could result in a bricking"

      And not only mistakes by the user. The tortuous mess of code called "windows" is now so obscure even to its developers that increasingly often one fix of some stupid error requires another fix that requires another ...

      1. aerogems Silver badge

        Re: Slightly off topic...

        Can we just answer the question without making it a Windows vs Linux holy war? I'm sure there are plenty of mailing lists, forums, discord servers, and whatever else out there if that's what you're into. If you can't, or won't, answer the question, don't respond. How difficult is that? NOT doing something.

        1. AJ MacLeod

          Re: Slightly off topic...

          Nobody mentioned Linux but you...

          1. aerogems Silver badge

            Re: Slightly off topic...

            Apology accepted

        2. Mike 125

          Re: Slightly off topic...

          > don't respond. How difficult is that? NOT doing something.

          Do you mean like you just... did?

          I love a good dose of irony in the morning.

    2. vtcodger Silver badge

      Re: Slightly off topic...

      "Many years ago I could handle editing config.sys and autoexec.bat to free up so many system resources my pc's ran so brilliantly; now it just appears to be such a mess ...

      Well, that was back in the dreary days of MSDOS with klunky Windows 3.11 or (to some extent) 95 or 98 or ME. But users wanted, nay demanded (or so we were told) a modern operating system with data stored in a modern self-documenting data registry. Conceptually, you can edit the registry to achieve what you wish. But since there are seventeen zillion entries and no coherent public documentation of the content, you are encouraged to leave registry changes up to the professionals. Of course the pros don't seem to actually understand the system very well either.

      The alternative would be to switch to a unix of some sort which for the most part stores configuration in stodgy old text files -- mostly with comment lines that at least try to describe what the settings mean. Caveat -- while unix really is a more sensible alternative than Windows for many people, tuning it tends to be a lot of work. Possible does not mean easy. The other alternative is Apple. Personally I am not now and never have been Apple compatible. But a significant number of people seem to be able to coexist with it in a relatively harmonious manner.

      1. aerogems Silver badge

        Re: Slightly off topic...

        Or... they could just google their question, find websites devoted to which Windows services can be safely disables, and go about their day. They weren't asking about making some obscure preference change, they were talking about the modern equivalent to getting rid of TSRs.

    3. aerogems Silver badge

      Re: Slightly off topic...

      There are whole websites devoted to that kind of thing. You just need to google it and you should have no trouble finding multiple sites listing a lot of common services that you can turn off safely. My personal suggestion would be to set things to "manual" first, and check for a couple days to make sure nothing started the service before moving it to disabled.

  2. Anonymous Coward
    Anonymous Coward

    It's only a minor issue (Joke Alert)

    I am not seeing any problems with Window 8 and Windows 7 so this is only a minor issue (for me).

  3. Dan 55 Silver badge

    Death by 1000 updates

    If January's update didn't get you, this month's might.

    Don't you dare try another platform though, it's not the industry standard.

  4. 43300 Silver badge

    "Microsoft noted that the problem might also occur on its server platforms, from Windows Server 2008"

    Which is outside of even the most extended-extended support (i.e. running it on Azure). So if you install the patch which wasn't issued anyway, it might cause the listed problem. Right. Gotcha!

    1. Grogan Silver badge

      The word "from" is significant there. It implies what follows. They say it that way, because the problematic code is present in all server products starting with 2008. Because it's a server edition, it gets a mention (while they wouldn't bother to list Windows Vista, 7, 8 etc. consumer products)

      1. 43300 Silver badge

        The problem only seems to arise though when the patch is installed, so if there's no patch, this particular issue presumably won't arise? i.e. it's the patch which, in one way or another, triggers the problem?

        1. 43300 Silver badge

          Perhaps the thumb-downer could explain where my understanding of the situation is faulty? From the reports here (and the Microsoft advisory, which I have also seen) it appears that the issue doesn't appear unless this patch is applied. Given that the patch is not available for Server 2008, how is that going to be affected by the issue?

      2. Wzrd1 Silver badge

        "(while they wouldn't bother to list Windows Vista, 7, 8 etc. consumer products)"

        So, enterprise versions like Pro editions are consumer products? No, they're still hind teat, just properly named desktop products and a whole lower echelon than servers...

        Well, until the entire enterprise has their entire staff staring at the walls while on the payroll, as all of their desktops randomly borked after the patch randomly blew them up, despite adequate testing (well, previously adequate)... Yeah, saw that many years ago as well.

        Indeed, at this point in my life, I'm patiently waiting to see a novel screw-up, as I'm fairly certain that I've witnessed every form possible under the sun. Still, I've no fear that the novel will escape me, some vendor will invent a new sun to burn us with.

    2. Wzrd1 Silver badge

      "Which is outside of even the most extended-extended support (i.e. running it on Azure). So if you install the patch which wasn't issued anyway, it might cause the listed problem. Right. Gotcha!"

      Well, there was that extended paid support. Then, there were special cases, like NT 4's SP7. Oh, never heard about SP7? NASA paid for Microsoft to develop it exclusively for them, as they had way too much software to convert in a reasonable amount of time...

      No, I'm not joking. Worked with someone that gave me a copy of it that he acquired while working for NASA.

  5. aerogems Silver badge
    Holmes

    Out of curiosity, does this only affect the Windows VPN service, or would it also affect third party VPN software?

    1. fPuck

      Third party VPNs typically create their own adapter rather than use the built-in VPN settings, but this is a patch of a patch so they're not really forthcoming with details.

      1. Wzrd1 Silver badge

        "...but this is a patch of a patch so they're not really forthcoming with details."

        Never fear, the infinitely recursive patches will be provided shortly by the infinite number of monkeys with an infinite number of keyboards, all filtered through an AI that runs exclusively on spherical cows.

        1. Anonymous Coward
          Anonymous Coward

          Thumbs up for the Brass Eye reference.

          1. mobailey

            That made me think of a "Day Today" reference:

            KB5036890 - no VPN died.

            KB5036891 - no VPN died.

            KB5036892 - one VPN died.

    2. GruntyMcPugh

      It doesn't affect Palo Alto Global Protect. That's the only VPN I use currently.

  6. AJ MacLeod

    Not again

    It seems to me that MS break VPNs more than almost anything else with their updates... even with groups of identical laptops set up in exactly the same way at the same time I've been seeing VPN issues develop apparently at random after Windows updates - some machines will be fine and others suddenly refuse to connect. This has been going on for a few years at least.

    1. Paul Crawford Silver badge
      Facepalm

      Re: Not again

      Good job those VPN are not needed for security reasons! Oh wait...

  7. Jurassic.Hermit
    FAIL

    30 years and counting...

    I must be a sucker for punishment putting up with MS for so long. Stuck with it through thick and thin, for better or for worse, for richer or poorer...until death do us part.

    Well, I'm declaring MS dead as far as I am concerned. Had enough of their pathetic OS efforts ever since Windows 8, but in recent times they've also destroyed Outlook, Office 365, totally dumbing down the whole lot. Windows 10 was actually decent, but I literally hate Windows 11 even more than 8. No quality control on any of it any more, ads, opening Bing every time I do a local search.

    Utter crap. Goodbye Microshaft, you'll be out of my life almost totally by the end of 2024.

    1. TReko Silver badge

      Re: 30 years and counting...

      I don't think Microsoft has a QA/Testing dept anymore. They fire 2/3 of QA back in 2015 so users in the Windows 10 "insider track" could test it for them.

      Seems like it worked so well that nothing is tested before release now?

      1. Wzrd1 Silver badge

        Re: 30 years and counting...

        Well, no QA worked well with ME and Vista...

        Maybe they'll move on to Act II, reviving the Ping Of Death...

        1. Anonymous Coward
          Anonymous Coward

          Re: 30 years and counting...

          I fondly remember ping of death. One OS (maybe openbsd, but it's lost in the fog of my brain) was immune to the ping, and their client wouldn't let you do the attack either. Their response was a patch to allow the client to ping other machines to death.

    2. Wzrd1 Silver badge

      Re: 30 years and counting...

      "I must be a sucker for punishment putting up with MS for so long. Stuck with it through thick and thin, for better or for worse, for richer or poorer...until death do us part."

      I call it career security. If one cannot be part of the solution, there is money to be made in prolonging the problem by patching the patches patches patches patches.

      1. Missing Semicolon Silver badge

        Re: 30 years and counting...

        I'm surprised you kept going until '10. Win8.1 was the last version that could be coerced into usability, so I bailed to Mint or Ubuntu Mate.

  8. sedregj
    Gimp

    VPN

    Which sort of VPN is broken?

    Am I being silly requesting basic facts on a news site?

    1. Wzrd1 Silver badge

      Re: VPN

      Microbrain isn't fessing up to what they cocked up. Likely, a bit of obfuscation to discourage litigation by impacted VPN vendors and users. As if they couldn't link the patch release/installation and sudden increase in support calls...

    2. Confucious2

      Re: VPN

      The Virtual ones.

    3. notyetanotherid
      Coat

      Re: VPN

      And why were they only broken "late on April 30"?

      1. BruceR

        Re: VPN

        That's when Microsoft admitted it, not when it happened.

  9. parrot

    This news…

    … might explain a lot of weird stuff that’s been happening recently with our “always-on” VPN. Main symptom is intermittent connection problems to individual servers, while we can still connect to everything else. Reboot usually fixes it for a little while. Really annoying.

    1. navarac Silver badge

      Re: This news…

      This type of news from MSFT is getting to be a perpetual headache. It doesn't help that they issue "updates" nearly every week, trying to get people to update a week before final issue to test it out! If you don't want the risk, you have to delay updates, which then includes security updates. Probably time to start to develop Windows 3000 from scratch. SatNad needs to get a grip, or get another job as a "shiny toy salesman". He certainly cannot deserve his high salary. It is a total disgrace AFAIK.

  10. Anonymous Coward
    Anonymous Coward

    (Whispers) Maybe don't use your PC to run the VPN ?

    If VPN connectivity was essential to my business, then it would be handled at the router/switch level. I wouldn't chance it to MS to bork at the next patch cycle.

    Reading stories like this, when I can't get an interview are painful. Who are these knuckleheads that know better than me right up until their "expertise" shafts the entire company.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like