[German]Windows Defender anti-malware platform update KB4052623 from January 2019 prevents Windows 10 systems from starting with Secure Boot. In addition, an activated AppLocker blocks downloads. But there are workarounds for both issues .
First notifications of the issue
A few hours ago I posted the blog post Windows Defender with Update issues (01/30/2019)? on update issues with Windows Defender. These could have performance issues of the update servers as a root cause (I'm not sure). But within this article I also mentioned that another user reported boot issues with the update KB4052623.
Windows Defender update (KB4052623) psbly causing problem with Boot Manager/Boot Loader startup on Server 2019. Repro'd in two Hyper-V environments. Only occurs after Start > Restart. Start > Shut down or Hyper-V Shut Down button no problem @mikael_nystrom @jarwidmark @NerdPyle pic.twitter.com/IFGQt7bLbV
— Troy L. Martin (@TroyMartinNet) 22. Januar 2019
This is an update for the Windows Defender antimalware platform, which was probably released on 28.1.2019. The user then noticed issues with the boot manager in a Hyper-V environment on Windows Server 2019.
A second confirmation by a reader
As a reaction to my blog post in English, a German user with the Twitter name @schätzer told me the following.
I believe I know the reason behind: https://t.co/bhx5N9mL6D We had approx. 100 clients that have not booted afterwards. #secureboot
— Schaetzer (@schaetzer) 30. Januar 2019
This user has about 100 clients that have 'died' due to the update and could not start after update install if Secure Boot is activated.
Microsoft confirms the issue
The user referred to the KB article KB4052623, which refers to Windows Defender on Windows 10 and Windows Server 2016 and discusses the update for the Windows Defender antimalware platform. The update is available since January 28, 2019 for:
- Windows 10 (Enterprise, Pro, and Home)
- Windows Server 2016
Within the KB article Microsoft meanwhile confirms a 'know issue' for this update. As soon as module version 4.18.1901.7 has been installed, Windows 10 clients no longer start when Secure Boot is activated. Microsoft is working on solving this problem and wants to release a fix in the future.
If you are hit with this issue, try to deactivate secure boot on your Windows 10 clients an proceed the steps below.
1. On startup, invoke the BIOS/UEFI settings, disable the secure boot, and reboot the machine.
2. Once Windows 10 has been successfully restarted, switch to an administrative prompt and use the following command to remove the module version:
%programdata%\Microsoft\Windows Defender\Platform\4.18.1901-7\MpCmdRun.exe" -revertplatform
After that, wait a minute and then execute the following instructions in the administrative prompt.
sc query windefend
sc qc windefend
The first command ensures that the Windows Defender service is running. The second command checks that Windows Defender no longer uses module version 4.18.1901.7. The machine must then be rebooted and the secure boot can be reactivated in the BIOS/UEFI.
New path is causing AppLocker issues
Microsoft has changed the path to the updated Windows Defender module. This changed path blocks many downloads when AppLocker is enabled. To fix this issue,Microsoft suggests that you open the appropriate Group Policy. Then allow the setting of policies for the following path:
This information can be found in KB Article 4052623.
Windows Defender with Update issues (01/30/2019)?
Windows 7 Defender won't receive updates (June 2018)
Windows 10 V1809: Defender shows wrong time
Windows Defender reports osk.exe as malware
Wrong language in Windows Defender Application Guard
Windows Defender in a sandbox
Cookies helps to fund this blog: Cookie settings
Trackback Windows Defender update: So secure, it wouldn't let Secure-Boot Windows PCs, er, boot