Windows 10 1809/Server 2019: Issue with SystemGuard Launch Security Baseline settings

[German]Brief information for administrators of Windows 10 v1809 clients or Windows Server 2019 instances. There is an issue with the Security Baseline where a newly introduced SystemGuard Launch option can cause to a blank screen when booting a UEFI system.


Advertising

To sort it a little: This does not affect any user with Windows 10 Home (and no Windows 10 Pro users who run this operating system without Security Baseline). The scenario occurs when the Microsoft Security Compliance Toolkit 1.0 is installed on Windows 10 version 1809 or Windows Server 2019 and the SystemGuard Launch policy is configured.

What is the Security Baseline?

It is a security policy that Microsoft provides for hardening systems against security threats. The Security Baseline package consists of documentation and group policies, as well as PowerShell scripts that can be used to provide basic protection against specific settings.

Microsoft has published this document, titled Windows security baselines, with more details. At the end of November 2018, Microsoft then released theWindows-10-1809-Security-Baseline-FINAL package for Windows 10 V1809 and Windows Server 2019. This downloadable package includes importable GPOs, a PowerShell script for applying the GPOs to local policies, custom ADMX files for Group Policy settings, tabular documentation, and a set of Policy Analyzer files. I reported in the blog post Security baseline for Windows 10 Version 1809 and Windows Server 2019 released.

Issues with SystemGuard Launch policy

Crysta T. Lacey (@PhantomofMobile) has alerted me via Twitter and in an email about an issue related to the SystemGuard launch guidelines of the Security Baseline settings (thanks for that). 


Advertising

Microsoft's Aaron Margosis posted on January 25, 2019 a blog post Issue with SystemGuard Launch setting in Windows 10 v1809 and Windows Server 2019 on Technet, describing a know issue.

The issue

Customers who have deployed the Microsoft Security Baseline for Windows 10 v1809 and Windows Server 2019 on systems with UEFI Secure Boot enabled may experience issues during booting devices. 

The Device Guard GPO is responsible for enabling virtualization-based security in the Windows security configuration baselines. This policy includes enabling the System Guard Secure Launch setting ("ConfigureSystemGuardLaunch"). On supported hardware, this is intended to protect the virtualization-based security environment from exploitable vulnerabilities in the device firmware.

This policy was introduced in Windows 10 version 1809 and is therefore only included in the recommended baselines for Windows 10 v1809 and Windows Server 2019. Now Microsoft has discovered that this policy can cause a boot problem. The problem occurs on systems where System Guard Secure Launch was set to Enabled, regardless of whether the underlying hardware support for the function exists.

If the device restarts after an update, only an empty screen is displayed. A problem with the validation of catalog files has been identified as the cause. According to Microsoft, whether this scenario occurs depends heavily on the number and order of the signed components in the boot path. So it's a pretty exotic bug and it's unpredictable if and when a system has this problem.

Solution in progress, workaround possible

Microsoft is currently actively working to publish a solution to this problem through a Windows Update. Affected customers on Windows 10 V1809 and Windows Server 2019 can reset the ConfigureSystemGuardLaunch Group Policy setting to Not Configured or Disabled to resolve this issue. This should be a temporary workaround until this problem is resolved in a Windows update.

Microsoft writes that so far no devices have been shipped that include hardware support for Secure Launch. This applies to all Microsoft Surface devices and all other OEM devices. The first devices with this support are not expected to be available until the second quarter of calendar year 2019. Removing this policy setting does not adversely affect systems that do not have hardware support to safely start System Guard Secure, according to Microsoft.


Advertising

This entry was posted in issue, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).