Our company has been battling a significant client-impacting issue following the installation of the November Windows security updates. We’ve identified the likely cause and implemented a temporary fix, but further investigation is needed to determine the root cause and establish a long-term solution.

What we're seeing:

• Main complaint: Frequent disconnects/reconnects for RDS users on the session hosts (random intervals, but it's seen every few minutes)
• Users report being "kicked out" frequently and general slowness in their RSH sessions
• IT admins report that when they RDP directly to the session host servers, they get frequent hiccups accompanied by the "reconnecting" RDP pop up for a couple seconds. Their session automatically resumes without having to relaunch their client.
• Firewall Observations:
• Note: Numbers given below are in the format of:
  • "pre-patching / post-patching management servers (DCs, RD gateways, RD Connection Brokers, etc.) / post-patching the remainder of the environment (Session hosts, app servers, DB servers, etc.)"
• Dropped Packets by Aspect (count per second):
  • packet processing engine: 5/450/1,600 (Large increase)
  • hardware offload engine: 250/450/800 (Large increase)
  • session setup/teardown: 330/330-350/330-350 (Mostly stayed the same, but started spiking every \~30 minutes)
  • packet forwarding engine: 90/95/100 (Small increase)
  • packet parsing engine: 20/20/25 (Small increase)
  • denial of service processing: 8/11/12 (Very small increase)
• Number of active TCP connections (count per second): 500/500/2000 (Large increase)
• FLOW (count per second):
  • Flow_action_close: 3/450/2,000 (Large increase)
  • flow_fpga_ingress_exception_err: 500/700/1,700 (Large increase)

Temporary Solution:

• Disable BITS and Windows Update services via GPO for all servers in the domain

What we see post - band-aid implementation:

• Users are no longer reporting disconnects from RSH servers
• Admins are no longer reporting hiccups and reconnects
• Firewall stats are the same or lower then before patching

Environment Info:

• OS: Windows Server 2022 21H2, Windows Server 2019, Windows Server 2016
• Firewall: Palo Alto
• Using Parallels RAS product for the RDS Farm
• \~700 session hosts
• Single domain
• Installed 2024-11 Windows Server Cumulative Updates, .NET Framework Cumulative Updates, and some servers received the Windows Malicious Software Removal Tool

Has anyone seen anything like this before? Any thoughts on what is happening? I would greatly appreciate some fresh ideas and perspectives. Thanks!!!

TLDR: Installed NOV Windows Updates on servers. User session disconnects happened frequently. Noticeable change in firewall activity. Disabling BITS and Windows Updates "fixed" the issue.