none
Issues after Installation of todays Updates KB4494440 RRS feed

Antworten

Alle Antworten

  • If you think the update is the cause then I'd uninstall it for a test. Also check the HP site to see if the update has been approved and or reported. Also ask for help with HP hardware in forums here.

    https://community.hpe.com/t5/ProLiant-Servers-ML-DL-SL/bd-p/itrc-264#.XNs7A3lYZaQ

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Mittwoch, 15. Mai 2019 12:57
  • Hi Dave,

    actually I am pretty sure that this update is the reason for the issue. As this update has been separated into two parts I had to reboot after the first installation of this update package and then the second part has been installed.

    As this issue occurs only in combination with Hyper-V and used TPM Modules my Device is encrypted.

    The issue occured after I've been entering my TPM Startup-Pin. The system then tells me that my Trusted Platform Module cannot be accessed and I should enter the recovery code.

    After I've been doing this, the recovery system is starting - which does not allow me to do anything but open a command prompt. I will have an eye on it, but I guess it will not be possible to uninstall the patch anyway.

    Cheers,

    Matthias


    Mittwoch, 15. Mai 2019 14:07
  • I think you're going to have to ask HP for guidance on any possibly recovery.


     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Mittwoch, 15. Mai 2019 14:11
  • Hi Dave,

    thanks for your fast repsone - how do you associate the update on CPU microcode with the occuring issue that the operating system cannot boot?

    Especially as I had to enter the recovery key and the system still does not boot.

    I will ask in the HP Forums for any similar experiences anyway. :)

    Cheers,

    Matthias

    Mittwoch, 15. Mai 2019 14:22
  • Sorry, my bad that was for 2008 R2 and older systems so disregard. This one might help.

    https://support.hpe.com/hpsc/doc/public/display?docId=mmr_sf-EN_US000015515

     

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Mittwoch, 15. Mai 2019 14:32
  • Matthias,

    Have you tried to uninstall the patch through the command line?

    The wusa tool should allow you to do so.

    wusa /uninstall /kb:4494441

    -Nick

    Mittwoch, 15. Mai 2019 15:29
  • Thanks Dave for looking for the document containing the former issue with TPM Chips on Hewlett Packard Systems. Very interesting, but as the Early TPM Chip initialization seemed to work fine I've seen the issue in the OS.

    Thanks Nick for your hint, but actually the Recovery System is unable to change anything to the damaged system itself. It offered me to automatically fix the startup issue, but that work as expected - NOT. I've looked for a system restore point - but nothing worked.

    What help temporarily was to instead of entering the Startup Pin and then enter the recovery as request, to immediately use the recovery key instead of the Startup Pin - so the TPM Chip is not being used.

    After starting the OS I've checked the TPM Module in the device manager and there were no errors (This device is working properly).

    Also tpm.msc told me that the TPM is ready for use.

    I then just removed the startup-pin and reenabled it again.

    On the next reboot with the startup PIN entered I've got the same issues - now I took the opportunity and made some screenshots...

    Please escalate this issue to the Windows Server Support team - what's the next recommended step to check?

    I don't want to enter the recovery key on each boot - it's okay and luckily the recovery key was available :D but hey - seriously?... Seems as the update crashed the correct TPM connectivity behaviour...

    Cheers,

    Matthias

    TPM Startup PIN Prompt

    Bitlocker Startup PIN Prompt

    Preparing Automatic Repair

    Preparing Automatic Repair

    0xc0210000

    0xc0210000

    Windows Server 2016

    Windows Server 2016

    Bitlocker Recovery Key prompt

    Choose an option

    Choose an option

    Advanced Options

    Advanced Options

    The CMD

    The CMD

    Mittwoch, 15. Mai 2019 20:10
  • You can also start a support incident here with product support.

    https://support.microsoft.com/en-us/hub/4343728/support-for-business

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Mittwoch, 15. Mai 2019 20:13
  • Hi Dave,

    thanks for hint. I finally was able to have enough information to start another thread on the Hewlett Packard Community:

    https://community.hpe.com/t5/ProLiant-Servers-ML-DL-SL/Issues-with-488069-B21-Optional-HP-TPM-Module-and-Update/td-p/7046453

    Maybe this will be resolved faster than we could imagine ;)

    Cheers,

    Matthias

    Mittwoch, 15. Mai 2019 20:25
  • Hope so. A suggestion is to post the screenshots also in HP forum post. My experience is users do not like to navigate to other forums for more information.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Mittwoch, 15. Mai 2019 20:28
  • thx done
    Mittwoch, 15. Mai 2019 20:33
  • Looks good.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Mittwoch, 15. Mai 2019 20:35
  • Hi,

    I'm fighting with the same (or very similar) problem today.

    Except for the fact that it happened on a Dell PowerEdge R530 server, configuration (Hyper-V + TPM) and the symptoms are basically the same.

    Piotr

    Mittwoch, 15. Mai 2019 21:29
  • Hi,

    I'm fighting with the same (or very similar) problem today.

    Except for the fact that it happened on a Dell PowerEdge R530 server, configuration (Hyper-V + TPM) and the symptoms are basically the same.

    Piotr

    Since a new issue I'd start a new thread.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Mittwoch, 15. Mai 2019 21:34
  • well - I have another Server: HP G8 360DL Performance - the same issue once more.

    It seems to be indeed the combination Hyper-V + TPM + Windows Server 2016 + Todays Updates.

    In case someone opens another thread please reference to this so we can continue to work on that topic as I think its all the same issue.

    Cheers,

    Matthias


    Mittwoch, 15. Mai 2019 21:44
  • Hi,

    Have a look at the following threads of similar issue:

    https://support.microsoft.com/en-us/help/3189068/restart-failure-if-device-guard-or-credential-guard-isn-t-disabled-cor 

    https://answers.microsoft.com/en-us/surface/forum/all/cant-boot-from-usb-recovery-drive-with-c-drive/f63487af-02f3-4d6e-9c13-2867c67ab8b5

    Best regards,

    Yilia 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Donnerstag, 16. Mai 2019 03:04
    Moderator
  • Ditto.  I'm having the exact same issue on a new set of R730 and R740 Dell PowerEdge servers.  Thankfully, after getting the bitlocker key entered I was able to push through and get the updates to complete on all but 1 of my servers.  I used this particular server to help narrow down the problem:

    1.) If I attempted to install all the packages except KB4494440, I did not run into the Bitlocker issue. 

    2.) The moment I re-attempted to install KB4494440, I ran back into the bitlocker / TPMS issue. 

    3.) All my other servers that did not have Bitlocker enabled did not have any issues with installing KB4494440.  

    I can't help but wonder if the security changes added for the speculative execution side-channel vulnerabilities changed something to cause Bitlocker / TPMS issues.


    • Bearbeitet jcochran75 Donnerstag, 16. Mai 2019 14:41
    Donnerstag, 16. Mai 2019 14:41

  • wusa /uninstall /kb:4494440


    Uninstalling the update helped in my case, but of course it's not a long term solution...

    Donnerstag, 16. Mai 2019 15:16
  • thanks to all of you for sharing your thoughts - actually uninstalling would be my last option...

    Did someone already tried to decrypt and re-encrypt - maybe with a TPM Clear between?

    Cheers,

    Matthias

    Donnerstag, 16. Mai 2019 16:35
  • I'm seeing the same issue on Lenovo hardware. Bitlocker Recovery key required after every reboot. I tried to suspend Bitlocker, reboot, and resume Bitlocker. That had no effect. I tried to disable bitlocker \ unencrypt, reboot, clear tpm. Then when I try re-enabling Bitlocker the pre-check fails. I then uninstalled KB4494440 and can re-enable Bitlocker.

    Update:

    Had this happen on 7 other systems so far. Removing the update stops the bitlocker recovery screen after each reboot.

    • Bearbeitet Bill__V Donnerstag, 16. Mai 2019 21:48
    Donnerstag, 16. Mai 2019 21:20
  • Hi,

    It was reported as an issue after WS 2016 2019.5B (KB 4494440) on machines with Hyper-V + Bitlocker + HVCI enabled. 

    Current Solution

    You can get the machine to boot in two ways.

    • Enter the Bitlocker Recovery Key if available.

    • Use the recovery steps in KB 3189068 - Restart failure if Device Guard or Credential Guard isn't disabled correctly in Windows 10 Version 1607

    If there are any updates, I will post here.

    Best regards,

    Yilia 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Freitag, 17. Mai 2019 01:41
    Moderator
  • We have the same issue on Dell Hardware and the recovery steps in KB3189068 do not fix the issue!
    Freitag, 17. Mai 2019 08:26
  • Same issue here:  HP Proliant DL380p Gen8 with TPM + Windows 2016 + Hyper-V

    Only workaround for now is to either remove the patch or temporarily suspend bitlocker with the below command:  keep in mind that suspending bitlocker will disable the TPM controls so determine the best course of action for your enviornment.

    Suspend-BitLocker -MountPoint "C:" -RebootCount 0

    Freitag, 17. Mai 2019 18:08
  • For me selecting last known good configuration boots up the system with the hotfix installed. But if you reboot again, you have to rinse and repeat the procedure.
    Freitag, 17. Mai 2019 18:26
  • I opened a case with MS today, but they said they haven’t heard of the issue before. Pointed them to this thread as well.
    Freitag, 17. Mai 2019 18:27
  • yeah - thanks man!
    Freitag, 17. Mai 2019 23:52
  • This took both of my hosts offline. Entering Bitlocker key allowed them to boot. I turned off bitlocker on both servers and tried to remove the KB on one of the two hosts. It is currently just sitting on "getting windows ready dont turn off your computer" for over 15 min now. 

    No choice but to wait for a it to time out?

    This seems like a pretty bad issue....is there any word back from MS? The only info on the google is this thread.....

    Samstag, 18. Mai 2019 18:08
  • Hi,

    It was reported as an issue after WS 2016 2019.5B (KB 4494440) on machines with Hyper-V + Bitlocker + HVCI enabled. 

    Current Solution

    You can get the machine to boot in two ways.

    • Enter the Bitlocker Recovery Key if available.

    • Use the recovery steps in KB 3189068 - Restart failure if Device Guard or Credential Guard isn't disabled correctly in Windows 10 Version 1607

    If there are any updates, I will post here.

    Best regards,

    Yilia 

    I'm managing two Dell R440s with Server 2016 as Hyper-V Guarded Hosts (HVCI, secure boot, system Code Integrity policy, the whole nine yards). Entering the BitLocker Recovery Key just puts my system in a boot loop with WinRE. I can't start VMs on the affected host if BitLocker is disabled. Removing the update everything works as expected.
    Montag, 20. Mai 2019 14:40
  • Entering the BitLocker Recovery Key just puts my system in a boot loop with WinRE. I can't start VMs on the affected host if BitLocker is disabled. Removing the update everything works as expected.
    Did you try to select "advanced repair" and then "startup options"? When the system reboots, it asks for the bitlocker key again, then you can choose "last known good" and it will boot up with KB4494440 installed. Verified this on about 20 hosts. If you boot again, you are running into the same issue again.
    Montag, 20. Mai 2019 14:44
  • I did not try reverting to "last known good configuration" as I am worried it would cause additional issues that are unique to being a guarded host in an HGS (guarded fabric) environment. These servers are isolated so I'm not as concerned with running them without the latest security updates... for now.
    Montag, 20. Mai 2019 15:42
  • I have exactly the same problem with Fujitsu hardware (two different models - Server 2016 with Hyper-V). Disabling TPM and entering Recovery Key allowed me to boot the OS. Still waiting for the solution.
    Dienstag, 21. Mai 2019 11:15
  • Just to add another +1 to this issue.

    We're seeing the same issue on ~15 Fujitsu servers (RX2530 M2 & M4 hardware). All have TPM 2.0, and Windows Security Baseline GPOs applied, including the settings to enable Credential Guard.

    On a system with KB4494440 installed, we've run the usual BitLocker/TPM repair commands, to remove and re-add the TPM protector, with no success. e.g.

    First check both TPM and Numerical Password are listed: manage-bde C: -status

    Delete the protector: manage-bde C: -protectors -delete -type TPM

    Reboot and clear the TPM via the BIOS, then boot using the manually entered recovery key.

    Re-add the protector: manage-bde C: -protectors -add -TPM

    We've uninstalled KB4494440 and confirmed the systems boot correctly.

    To help others find this thread via Google, the error shown is...

    Status: 0xc0210000

    Info: A required file couldn't be accessed because your BitLocker key wasn't loaded correctly.

    This seemingly affects Windows Server 2016 (1607) build 14393.2969 (KB4494440) and probably also the slightly later build 14393.2972 (KB4505052).

    Dienstag, 21. Mai 2019 13:29
  • I am having the same problem with a DL380 G7 + Windows 2016 + TPM 1.2 + Hyper-V. Had to uninstall KB45055052 and KB4494440 to fix issue. This is a newly rebuilt OS so it must be the Windows Update that is causing the issue.
    Dienstag, 21. Mai 2019 13:58
  • We installed latest HP firmware and Drivers as mentioned in the HP KB article, but still we get bitlocker key prompt during server restarts. Mitigation to uninstall KB4494440. 

    https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03933en_us

    We may need some updates from hardware vendors/Microsoft patch for permanent fix. Some additional link for your reference. 

    https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html

    https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling


    Mittwoch, 22. Mai 2019 18:02
  • Hey folks,

    28 affected servers here. Having to suspend Bitlocker using the "-rebootcount 0" parameter. I'm sure uninstalling would work too, but I feel like we'd then need to stop Windows Updates to prevent re-installation.

    Affected servers all share the following similarities:

    • Server 2016 Standard 10.0.14393
    • TPM
    • Bitlocker protected boot drive
    • Hyper-V host
    • Installed KB4494440
    • 0xc0210000 on reboot if boot drive is Bitlocker protected

    Able to recover and boot successfully by booting to BIOS and then booting to "UEFI hard drive". After this, I was prompted for the Bitlocker recovery key and Windows booted successfully. The recovery steps must be repeated if a reboot occurs with Bitlocker enabled on boot drive.

    I have tried, without success, the following:

    • Registry entries mentioned in KB 3189068.
    • Decrypting, clearing TPM, encrypting the boot drive.
    • Disabling SecureBoot.

    As of now, we have settled on a scheduled script to suspend Bitlocker with reboot persistence.

    manage-bde -protectors -disable c: -rebootcount 0

    Best of luck to all,

    David


    • Bearbeitet Ballarddm Mittwoch, 22. Mai 2019 20:12
    Mittwoch, 22. Mai 2019 20:11
  • https://support.microsoft.com/en-us/help/4505821/some-devices-running-windows-server-with-hyper-v-enabled-may-start-int
    Donnerstag, 23. Mai 2019 07:05
  • Thanks for those who have gone before...

    Also affecting my Lenovo TS140, Server 2016 Standard Hyper-V host.

    Last week, with KB4494440, I was actually able to get past it just by typing the recovery key.

    Today, with the next cumulative update KB4505052, I had to go through the recovery environment procedure to suspend BitLocker.

    The instructions in KB4505821 say to unlock and suspend C:, but I found in my recovery environment, the OS drive, the one protected by the TPM, had changed letters to D:. Blogged with screen shots:

    https://www.mcbsys.com/blog/2019/05/bitlocker-failure-with-hyper-v-after-may-2019-updates/



    Sonntag, 26. Mai 2019 22:00
  • Are you booting into VHDX on your Hyper-V host? We are and I suspect this is part of the problem. I booted the Hyper-V host from an Windows 2016 ISO, entered the bitlocker recovery key to access the volume where the VHDX sits on and then mounted the VHDX. I tried to unlock the VHDX but failed, the bitlocker recovery password was supposedly wrong.
    Montag, 27. Mai 2019 14:54
  • Having issues on Dell Hardware as well R540 here with HyperV and 2016 Standard and BitLocker.  Was able to reboot into "safe mode with networking" and the update failed so it rolled back to prior and rebooted a couple of times and is working but not patched.  I wanted to reply just to give another option for recovery as well as to track to see if an answer comes.  I have disabled the updates for now as I cannot have a production server boot with this happening.  Hope someone finds the answer to resolve this obvious Microsoft issue.


    Dienstag, 28. Mai 2019 14:30
  • thanks for sharing this!

    ha ha ha - joke of the day:

    Some devices running Windows Server with Hyper-V enabled may start into Bitlocker recovery with error 0xC0210000

    They have to correct: ALL DEVICES running this constellation are affected.

    And they should mention that meanwhile the devices are unprotected - no chance - wth....

    Donnerstag, 30. Mai 2019 19:40
  • Any update on this issue? I see the posted MS link below says "Microsoft is presently investigating this issue and will provide an update when available." We're in a holding pattern with the update uninstalled until there's a resolution. 
    Donnerstag, 6. Juni 2019 15:55
  • I have not seen a fix yet....
    Mittwoch, 12. Juni 2019 12:40
  • Bill_V - Where did you see that posting that MS was investigating?


    Mittwoch, 12. Juni 2019 12:44
  • Bill_V - Where did you see that posting that MS was investigating?


    https://support.microsoft.com/en-us/help/4505821/some-devices-running-windows-server-with-hyper-v-enabled-may-start-int
    Mittwoch, 12. Juni 2019 13:04
  • The update released yesterday (https://support.microsoft.com/en-us/help/4503267/windows-10-update-kb4503267) didn't fix the issue, so we will need to wait a little bit longer...
    Mittwoch, 12. Juni 2019 15:26
  • We hit this issue yesterday. Similar updates were applied to two HPE Gen 10 servers running Windows Server 2016. 

    The updates on the DR server were slow, but completed with no issue.

    The updates (KB4503267 and KB4503537) on the live server were slow, then the server would not boot.

    The error message states that the Windows Installation Disk has to be used to restart the computer. But we found that this is not required. 

    We pressed Enter (OS Selection). When there server rebooted, the option was given to enter the encryption key.

    As a test, we rebooted the server, and the same issue happened. I am not sure how the encryption key can be saved to prevent the issue happening again.

    We are seriously unimpressed. Two of us had to work in the office on Sunday evening to fix the problem.

    Montag, 17. Juni 2019 17:32
  • Microsoft just released KB457460 which finally fixes that issue...
    This is also noticed in KB https://support.microsoft.com/en-us/help/4505821/some-devices-running-windows-10-with-hyper-v-enabled-may-start-into-bi

    well done... 2 Months fix time for an enterprise product... seriously?
    ~ 5400 views within this time - this was rather a larger issue...
    Dienstag, 9. Juli 2019 21:18
  • Yes Matthias, this MS patch solved this issue. 

    Addresses an issue that may cause some devices with Hyper-V enabled to enter BitLocker recovery mode and receive the error, "0xC0210000".

    Mittwoch, 10. Juli 2019 06:29
  • Confirmed fixed for me.
    Donnerstag, 11. Juli 2019 15:50