Scheduled maintenance on Saturday, August 8th from 7am to 10am (UTC). Licensing registrations and key activations will be unavailable during this period. More info here.
Microsoft has released updates on 9 April 2019 that are impacting some security AV vendors, causing some customers using Windows 7, Windows 8.1, Windows 2008, Windows 2008 R2, Windows 2012, and Windows 2012 R2 to occasionally experience system failures, or hangs during boot up after the application of the update.
Sophos has been working non-stop to resolve this issue. We quickly coordinated a temporary block that prevents the Microsoft update from being visible for download if the Sophos endpoint is installed. This has been successful in preventing system failures and allowed us to investigate a permanent resolution. The block will remain in place until the resolution is fully tested and rolled out to customers.
The temporary solution includes an exclusion that works for all of our customers. These exclusions have been automatically added in Sophos Central and Sophos Enterprise Console (versions 5.5.x) and can also be manually added to SEC 5.4.1, UTM Managed Endpoints, and standalone Endpoints/Servers. The exclusions prevent system issues even if the Microsoft update is installed.
We identified a permanent fix which has completed the roll out to customers. To check if you have received the fix see the section How to confirm if you have received the fix linked under each product.
For the list of affected Windows updates, take a look at the Related information section.
The following sections are covered:
To be impacted, you must meet all the criteria below:
Applies to the following Sophos product(s) and version(s) All Windows endpoint and server licenses Note: If you only have Sophos Intercept X installed you will not be affected by this issue.
Please sign up for our SMS Notification Service to receive the latest information and also follow this article.
Microsoft temporarily blocked devices from receiving this update if the Sophos Endpoint is installed. Further information can be found in the Microsoft articles listed in the Related information section.
Note: Microsoft has now removed this block.
For Sophos Central customers, we have performed an automatic update to add the following to the Global Exclusions:
Note: Under the Comment column, the message Sophos temporary exclusion see KBA 133945 will appear in your list.
Sophos temporary exclusion see KBA 133945
This will prevent the issue occurring on any device where the Windows update is applied prior to receiving the fix versions referenced below.
We have identified a permanent fix and are now automatically rolling out the fix to customers starting 25th April 2019. This will take place over a two to three week period.
For Enterprise Console customers we are performing an update that will automatically add the following Windows exclusions to all Anti-virus and HIPS policies in your Enterprise Console:
This will prevent the issue occurring on any computers where the Windows update is applied prior to receiving the fix versions referenced below.
Differs from Policy
To confirm your Update Manager has downloaded the version containing the fix:
To confirm your managed computers have received the fix:
For UTM Managed Endpoints you will need to manually add the following exceptions to the Endpoint Protection > Antivirus > Exceptions tab, specifying the Type File/Folders:
Adding these exclusions will prevent the issue occurring on any computers where the Windows update is applied prior to receiving the fix version referenced below.
To confirm your UTM Managed Endpoints have received the fix:
For standalone installations of Sophos Endpoint Security and Control you will need to manually add the following folder exclusions:
For further information on how to do this, take a look at the Sophos Endpoint Security and Control Help.
Adding these exclusions will prevent the issue occurring on any computers where the Windows update is applied prior to receiving the fix versions referenced below.
To confirm your standalone computer has received the fix:
If you have performed the update and have rebooted, triggering the issue then, the below recovery steps are available:
Note. This script will cause your machine to reboot.
Note: If tamper protection is enabled, it needs to be disabled first to allow the Sophos services to be enabled again.
The following are the affected Windows updates:
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.