Hello everyone,
For a month and a half I have been looking for a bug that does not allow the September, October (KB5031361) and subsequent updates to be installed on Windows Server 2019, the updates are installed during operation, the machine is restarted so that the Windows update progress runs up to 30% and the machine resets itself. During the boot process, however, the machine no longer displays the familiar Windows loading bar (dots), but instead boots directly into WinRE. A normal boot process is no longer possible. Either you use the Windows start help, which applies a "repair", or you try to select the start mode to "Safe mode" before the WinRE. Both result in a Windows Update Rollback being started, which uninstalls the September updates and allows the VM to start normally again. (However, the SSU remains present).
After ages of LOG searching, various repair attempts etc. Hyper-V finally brought the breakthrough. A backup of the VM and copying the hard disk to Hyper-V allowed the VM to start normally, the update to start completely and without problems. From this point on, I knew that Windows could not be the actual problem.
After further searching, I finally came across the "KVM" option. After deactivating the option, the updates could be installed without any problems, the machine boots and works normally. If I activate the KVM option again after the update, the machine no longer boots.
After more back and forth, I came across the Credential Guard option. This option is used in the affected infrastructure and actually causes the error, but only from the September and October update. The August update had no problems at all.
If you delete the respective registry values, deactivate the GPO etc., everything works perfectly again with KVM and the respective updates. You can see whether Credential Guard is activated under "msinfo", for example.
The real question is, do so few people use Credential Guard in conjunction with KVM, is it possibly only your own infrastructure that is affected and where and how do you report such an error with low level debugging logs?
A very interesting aspect after deactivating Credential Guard is that the performance of the respective machine is significantly better, felt.
https://learn.microsoft.com/en-us/w...abs=reg#disable-virtualization-based-security
Proof of Concept:
Install a clean version of Windows 2019, install all updates specified by Microsoft and restart the machine. Then set the following registry value:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard
"Enabled"=dword:00000001
Restarts the machine
I have only been able to check the German image version so far. Windows 2022 is not affected by the problem
For a month and a half I have been looking for a bug that does not allow the September, October (KB5031361) and subsequent updates to be installed on Windows Server 2019, the updates are installed during operation, the machine is restarted so that the Windows update progress runs up to 30% and the machine resets itself. During the boot process, however, the machine no longer displays the familiar Windows loading bar (dots), but instead boots directly into WinRE. A normal boot process is no longer possible. Either you use the Windows start help, which applies a "repair", or you try to select the start mode to "Safe mode" before the WinRE. Both result in a Windows Update Rollback being started, which uninstalls the September updates and allows the VM to start normally again. (However, the SSU remains present).
After ages of LOG searching, various repair attempts etc. Hyper-V finally brought the breakthrough. A backup of the VM and copying the hard disk to Hyper-V allowed the VM to start normally, the update to start completely and without problems. From this point on, I knew that Windows could not be the actual problem.
After further searching, I finally came across the "KVM" option. After deactivating the option, the updates could be installed without any problems, the machine boots and works normally. If I activate the KVM option again after the update, the machine no longer boots.
After more back and forth, I came across the Credential Guard option. This option is used in the affected infrastructure and actually causes the error, but only from the September and October update. The August update had no problems at all.
If you delete the respective registry values, deactivate the GPO etc., everything works perfectly again with KVM and the respective updates. You can see whether Credential Guard is activated under "msinfo", for example.
The real question is, do so few people use Credential Guard in conjunction with KVM, is it possibly only your own infrastructure that is affected and where and how do you report such an error with low level debugging logs?
A very interesting aspect after deactivating Credential Guard is that the performance of the respective machine is significantly better, felt.
https://learn.microsoft.com/en-us/w...abs=reg#disable-virtualization-based-security
Proof of Concept:
Install a clean version of Windows 2019, install all updates specified by Microsoft and restart the machine. Then set the following registry value:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard
"Enabled"=dword:00000001
Restarts the machine
I have only been able to check the German image version so far. Windows 2022 is not affected by the problem