Computers fail/hang with Microsoft KB4493472 and Sophos

After installing the following Microsoft Windows updates, Sophos has received reports of computers failing to boot. Sophos is actively investigating this issue and will update this article when more information is available. Please also read:

The following operating systems are affected:

  • Windows 7
  • Windows 8.1
  • Windows 2008
  • Windows 2008 R2
  • Windows 2012
  • Windows 2012 R2

Applies to the following Sophos product(s) and version(s)
All Windows endpoint and server licenses

Note: If you only have Sophos Intercept X installed you will not be affected by this issue.

What to do

Update – 08:45 BST 04/11/19: Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available.  Further information can be found in the Microsoft Articles listed above.

If you have not yet performed the update we recommend not doing so. If you have performed the update but not yet rebooted we recommend removing the update prior to rebooting.

For Enterprise Console customers, if you have performed the update, not yet rebooted but require the Windows updates to remain installed, adding the following folder exclusion to your Windows exclusions in the Anti-virus and HIPS on-access scanning policy will prevent the issue occurring on boot:

  • C:\Program Files\Sophos\Sophos Anti-Virus\
  • C:\Program Files (x86)\Sophos\Sophos Anti-Virus\

Note: Sophos recommends:

Note: The above action is not required for Sophos Central customers.

If you have performed the update and have rebooted, triggering the issue:

  1. Boot into safe mode
  2. Disable the Sophos Anti-Virus service
  3. Boot into normal mode
  4. Uninstall the Windows KB
  5. Enable the Sophos Anti-Virus service

To boot into Safe Mode in Step 1

To get into Services panel in Step 2

 

To uninstall KB in Step 4 use the command listed below.

wusa /uninstall /kb:4493472 /quiet

or

 

Use a script to recover the machine in Safe Mode or Windows

Note. This script will cause your machine to reboot.

  1. If you are using Windows Server Update Services (WSUS) or third-party patch provider then please remove the updates from your approved list or de-authorise the updates from being applied to your machines – otherwise following the use of the script the offending Windows updates may be reinstalled
  2. Download the script from here
  3. Change the file extension from .txt to .bat
  4. Copy the script to the affected machine and save it in the root of C:\
  5. Open an administrator command prompt
  6. Run the below command
    • C:\RemoveAprilWIndowsUpdates.bat
  7. The script will run and should remove the required updates for your version of Windows and reboot the machine to complete the recovery

 

https://community.sophos.com/kb/en-us/133945