After installing the following Microsoft Windows updates, Sophos has received reports of computers failing to boot. Sophos is actively investigating this issue and will update this article when more information is available. Please also read:
- https://support.microsoft.com/en-gb/help/4493467/windows-8-1-update-kb4493467 (Security-only update)
- https://support.microsoft.com/en-gb/help/4493446 (Monthly Rollup)
- https://support.microsoft.com/en-gb/help/4493448 (Security-only update)
- https://support.microsoft.com/en-gb/help/4493472/windows-7-update-kb4493472 (Monthly Rollup)
- https://support.microsoft.com/en-us/help/4493458 (Security-only update)
- https://support.microsoft.com/en-us/help/4493471/windows-server-2008-update-kb4493471 (Monthly Rollup)
- https://support.microsoft.com/en-gb/help/4493450 (Security-only update)
- https://support.microsoft.com/en-gb/help/4493451/windows-server-2012-update-kb4493451 (Monthly Rollup)
The following operating systems are affected:
- Windows 7
- Windows 8.1
- Windows 2008
- Windows 2008 R2
- Windows 2012
- Windows 2012 R2
Applies to the following Sophos product(s) and version(s)
All Windows endpoint and server licenses
Note: If you only have Sophos Intercept X installed you will not be affected by this issue.
What to do
Update – 08:45 BST 04/11/19: Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. Further information can be found in the Microsoft Articles listed above.
If you have not yet performed the update we recommend not doing so. If you have performed the update but not yet rebooted we recommend removing the update prior to rebooting.
For Enterprise Console customers, if you have performed the update, not yet rebooted but require the Windows updates to remain installed, adding the following folder exclusion to your Windows exclusions in the Anti-virus and HIPS on-access scanning policy will prevent the issue occurring on boot:
C:\Program Files\Sophos\Sophos Anti-Virus\
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\
Note: Sophos recommends:
- Setting this exclusion only in instances where you require the Windows updates to remain installed.
- Enabling enhanced tamper protection on your managed computers. For further information see Sophos Endpoint Defense: How to enable Enhanced Tamper Protection.
- Removing the exclusion when advised by Sophos in this article.
Note: The above action is not required for Sophos Central customers.
If you have performed the update and have rebooted, triggering the issue:
- Boot into safe mode
- Disable the Sophos Anti-Virus service
- Boot into normal mode
- Uninstall the Windows KB
- Enable the Sophos Anti-Virus service
To boot into Safe Mode in Step 1
To get into Services panel in Step 2
To uninstall KB in Step 4 use the command listed below.
wusa /uninstall /kb:4493472 /quiet
or
Use a script to recover the machine in Safe Mode or Windows
Note. This script will cause your machine to reboot.
- If you are using Windows Server Update Services (WSUS) or third-party patch provider then please remove the updates from your approved list or de-authorise the updates from being applied to your machines – otherwise following the use of the script the offending Windows updates may be reinstalled
- Download the script from here
- Change the file extension from .txt to .bat
- Copy the script to the affected machine and save it in the root of C:\
- Open an administrator command prompt
- Run the below command
- C:\RemoveAprilWIndowsUpdates.bat
- The script will run and should remove the required updates for your version of Windows and reboot the machine to complete the recovery