Windows 10: Windows Boot Issues after MS Security Patches applied

We have a strange issue that seems to occur after security updates are applied from Microsoft - but we are not 100% convinced it is a Microsoft issue. Apologies for the long post but I wanted to provide as much detail as possible.


Our laptops are all HP 840 Elitebooks (G1 through to G5) running Windows 10 Enterprise version 1803, all laptops have bitlocker enabled. The problem only affects a certain number of laptops and we've not found a common pattern yet.


Problem

- Windows automatic updates take place and includes a security update

- User shuts their laptop down at the end of the working day

- The following morning when trying to boot, the laptop gets stuck at the "HP Sure Start" screen and doesn't boot

- We switch the laptop off and on a few times to force automatic repair and then boot to safe mode

- We perform a standard reboot and everything works (on occasions we have to remove the security update but that's only on 1 in 10 laptops)


If this was a HP Sure Start issue then we wouldn't expect it to boot to safe mode so we can only assume that something at the start of the boot up of Windows is causing the problem and, by using Safe Mode, it is allowing us to boot properly and, my theory, is that the security update may have needed a reboot and can finally apply correctly when there are no other programs interfering/blocking it.


The programs we load that could be contributing to the problem are:


- Cisco Umbrella

- Carbon Black

- Cylance

- Connected MX

- CheckPoint VPN Client

- Ivanti Landesk


Our vendors have not found anything to suggest it is their software causing the problem but the top 3 in the list above are security products and do not load in Safe Mode so if it is anything causing it, it may be one of them. Windows Event logs do not show anything to suggest the cause of the issue.


We cannot reproduce the issue at will because once the laptop is working again, it won't fail again. We did try removing the last security update, rebooting, running Windows update manually (which then re-applies that security update). In theory, we should now be able to reboot and reproduce the issue but it boots normally.


The problem is that if we wait until the monthly patch Tuesday for the next updates, then it means we can only troubleshoot once a month so that approach won't work. I'm hoping for some other suggestions that can help us get to to the bottom of this issue without us disabling too many programs that then make our IT security department nervous.


Thanks in advance


Andy

:)

 

Windows 8 Secure Boot Feature: Not So Secure?

• Linux
• Linux
• Linux
• Linux
• Oh and OSX

Here is a statement from a Kernal Developer at Red Hat:

I'm not sure this exploits the legacy BIOS but rather it exploits the legacy boot method on MBR drives, injecting a signed key before the OS boots, which you are correct in that it has nothing to do with Windows 8. And the simplest fix would just be to require boot drives use GPT when Secure Boot is enabled in UEFI.

 

Windows 8 Secure Boot Feature: Not So Secure?

So Linux is switching to secure boot also? Or they have to because of UEFI?

 

MS IE Vulnerability patch failure

http://support.microsoft.com/kb/2964358


Known issues with this security update

• Internet Explorer will crash if you try to install this security update on a Windows 7-based system that does not already have security update 2929437 installed. To avoid this issue, take either of the following actions:
  • Install security update 2929437, and then install security update 2964358. For more information about security update 2929437, click the following article number to view the article in the Microsoft Knowledge Base:
    2929437
    (http://support.microsoft.com/kb/2929437/ )
    Description of the security update for Internet Explorer 11 on Windows 7 and Windows Server 2008 R2: April 8, 2014
  • Install security update 2964444 instead of security update 2964358. Security update 2964444 is intended for systems that do not have security update 2929437 installed.