Issue with SystemGuard Launch setting in Windows 10 v1809 and Windows Server 2019

  • Articolo

[Update, 17 April 2019: Microsoft released a fix for this issue in the 2019-03 Cumulative Updates for Windows 10 Version 1809 and Windows Server 2019. See https://support.microsoft.com/kb/4490481 for more information.]

Customers that deployed Microsoft’s security baseline for Windows 10 v1809 and Windows Server 2019 on systems with UEFI secure boot enabled might experience device boot failures. The Device Guard GPO setting to enable Virtualization Based Security in the Windows security configuration baselines includes enabling the System Guard Secure Launch (“ConfigureSystemGuardLaunch”) setting which on supported hardware protects the Virtualization Based Security environment from exploited vulnerabilities in device firmware. That setting was newly introduced in Windows 10 v1809 (also known as “Redstone 5” or “RS5”) and thus is only included in our recommended baselines for Windows 10 v1809 and Windows Server 2019. Microsoft discovered a boot issue that could affect systems with the System Guard Secure Launch set to enabled regardless of whether the underlying hardware support for the feature is present. The issue manifests itself after taking an update whereupon the device reboots into a blank screen. The issue has been root caused to a problem with catalog file validation and whether it shows up is highly dependent on set and order of signed components in the boot path so it is not predictable when or whether a system will hit this issue.

Microsoft is currently actively working to release a fix for this issue via a Windows update.

While Microsoft is working on a solution, Windows 10 v1809 and Windows Server 2019 customers who are affected may revert the “ConfigureSystemGuardLaunch” Group Policy setting to “Not Configured” or configure it to “Disabled” to alleviate this issue. This should be a temporary workaround until this issue is addressed in a Windows update.

Note: Removing this setting will not negatively impact systems that do not have the hardware support for System Guard Secure Launch. At the time of this blog post no devices have yet shipped that include hardware support for Secure Launch including all Microsoft Surface devices and any other OEM devices.  The first devices with this support included are not expected to be available on the market until the 2nd quarter of calendar year 2019.