[German]In September 2021 updates for Windows 10 could cause issues: Some applications no longer started or could no longer access their data. The cause is a problem in the Microsoft Exploit Protection Export Address Filtering (EAF) function. Microsoft has confirmed that and rolled out the problematic fixes using the KIR featrue. I briefly summarize the issue again with some explanations.
Problems with updates from September 2021
On September 1, 2021, Microsoft rolled out a preview update KB5005101 (which I had not addressed in the blog). However, as a result of this update (as well as with subsequent updates), various users experienced a problem where certain applications stopped working properly and would not launch or could no longer access data.
I had already addressed the problem last week in my German blog post OneDrive for Business-Störung vom 22.9.2021 only. In the specific case, it was that the OneDrive for Business login stopped working and got stuck with a white window. Microsoft explained the reason in a status message: The Microsoft Exploit Protection EAF (Export Address Filtering) feature was the root cause for the problem.
The feature can be configured under Windows Security in the App and Browser Control category and then under Exploit Protection. If OneDrive for Business is installed, you will find a corresponding entry there, via which you could disable Export Address Filtering (EAF). The details can be found in the above linked article in Microsoft's status messages.
However, there were also problems with other applications. According to Microsoft's status messages, the function of the September patches for EAF with the Known-Issues-Rollback (KIR) function has therefore been disabled.
Microsoft confirms the issue and fixed it with KIR
An the Windows 10 status page, Microsoft has published the entry Apps might fail to open, close unexpectedly or become unresponsive as of September 24, 2021, where the issues has been confirmed. There it says that after installing update KB5005101 (or subsequent updates), problems may occur. Namely, problems occur with applications when the Microsoft Exploit Protection Export Address Filtering (EAF) feature is used. This manifests itself in the fact that applications cannot be opened, files cannot be opened or a white window is displayed when logging in. The following platforms are affected:
- Client: Windows 10 Version 21H1, Windows 10 Version 20H2, Windows 10 Version 2004, Windows 10 Version 1909, Windows 10 Version 1809, und Windows 10 Enterprise LTSC 2019
- Server: Windows Server 2022;,Windows Server 20H2, Windows Server 2004, Windows Server 1909, Windows Server 1809 und Windows Server 2019
Microsoft has therefore used Known Issue Rollback (KIR) to roll back the problematic parts of the updates in question. The 24 hours that KIR takes to roll back on unmanaged end-user devices have now passed, so the issues should no longer show up after affected systems are rebooted.
Note: I described the Known Issue Rollback (KIR) feature in the post Windows 10 2004-20H2: Office memory or media error when opening documents fixed. It allows Microsoft to automatically roll back a fix for identified problems. This disables the problematic fix and re-enables the saved previous code, so it does not uninstall the entire update. Many details can be read in this Microsoft post. It is important to know, however, that Microsoft only uses KIR for problems with non-security-critical updates. Also, KIR is only available as a full feature on Windows 10 2004 and later, and is only used on systems that receive updates via Windows Update or Windows Update for Business.
It is important to note that the Known Issue Rollback (KIR) function in enterprise environments with systems managed (e.g. via Windows Update for Business, WUfB) must be triggered by the administrator via appropriate group policies. Microsoft has provided the following group policies for this purpose:
- Windows Sever 2022
- Windows 10 Version 2004, Windows 10 Version 20H2, Windows 10 Version 21H1
- Windows 10 Version 1909
- Windows 10 Version 1809, Windows Server 2019
Alternatively, registry entries listed in post Apps might fail to open, close unexpectedly or become unresponsive could be set to trigger KIR (but is not recommended). For more help with KIR, see the post How to use Group Policy to deploy a Known Issue Rollback.
Cookies helps to fund this blog: Cookie settings