Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
Microsoft has released updates on April 9, 2019 that are impacting some security AV vendors, causing some customers using Windows 7, Windows 8.1, Windows 2008, Windows 2008 R2, Windows 2012 and Windows 2012 R2 to occasionally experience system fails or hangs during boot up after application of the update.
Sophos has been working non-stop to resolve the issue. We quickly coordinated a temporary block that prevents the Microsoft update from being visible for download if the Sophos endpoint is installed. This has been successful in preventing system failures, and allowed us to investigate a permanent resolution. The block will remain in place until the resolution is fully tested and rolled out to customers.
The temporary solution includes an exclusion that works for all of our customers. These exclusions have been automatically added in Sophos Central and Sophos Enterprise Console (versions 5.5.x) and can also be manually added to SEC 5.4.1, UTM Managed Endpoints and Standalone Endpoints/Servers. The exclusions prevent system issues even if the Microsoft update is installed.
We identified a permanent fix which has completed roll out to customers. To check if you have received the fix see the 'How to confirm if you have received the fix' section linked under each product.
The following sections are covered:
To be impacted, you must meet all the criteria below. If you do not meet all the criteria, then you are not impacted:
Applies to the following Sophos product(s) and version(s) All Windows endpoint and server licenses Note: If you only have Sophos Intercept X installed you will not be affected by this issue.
Please sign up for our SMS Notification Service to receive the latest information and also follow this article.
Microsoft temporarily blocked devices from receiving this update if the Sophos Endpoint is installed. Further information can be found in the Microsoft Articles listed in the Related information section.
Note: Microsoft have now removed this block.
For Sophos Central customers we have performed an automatic update to add the following to the Global Exclusions:
Note: This will appear in your list as Sophos temporary exclusion see KBA 133945.
This will prevent the issue occurring on any devices where the Windows update is applied prior to receiving the fix versions referenced below.
We have identified a permanent fix and are now automatically rolling out the fix to customers starting 25th April 2019. This will take place over a two to three week period.
Note: If you have configured Controlled Updates you will not receive the fix until your pause period expires. Note: If you have configured an Updating Policy you will not receive the fix until your scheduled update time takes place.
For Enterprise Console customers we are performing an update that will automatically add the following Windows exclusions to all Anti-virus and HIPS policies in your Enterprise Console:
This will prevent the issue occurring on any computers where the Windows update is applied prior to receiving the fix versions referenced below.
To confirm your Update Manager has downloaded the version containing the fix:
To confirm your managed computers have received the fix:
For UTM Managed Endpoints you will need to manually add the following exceptions to the Endpoint Protection > Antivirus > Exceptions tab, specifying the Type File/Folders:
Adding these exclusions will prevent the issue occurring on any computers where the Windows update is applied prior to receiving the fix version referenced below.
To confirm your UTM Managed Endpoints have received the fix:
For standalone installations of Sophos Endpoint Security and Control you will need to manually add the following folder exclusions:
For further information on how to do this see the Online Help.
Adding these exclusions will prevent the issue occurring on any computers where the Windows update is applied prior to receiving the fix versions referenced below.
To confirm your standalone computer has received the fix:
If you have performed the update and have rebooted, triggering the issue then the below recovery steps are available:
Note. This script will cause your machine to reboot.
The following reference the affected Windows updates:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.