Enterprise security administrators who have deployed the Microsoft Security Baseline and enabled System Guard Secure Launch may experience boot issues on Windows 10 v1809 and Windows Server 2019 systems with UEFI Secure Boot.

According to Microsoft's Aaron Margosis, the issue can impact any of the systems where the very specific set of conditions detailed above is present.

This is an unpredictable and exotic bug given the complex combination of factors involved to trigger it and Margosis says that:

The issue manifests itself after taking an update whereupon the device reboots into a blank screen. The issue has been root caused to a problem with catalog file validation and whether it shows up is highly dependent on set and order of signed components in the boot path so it is not predictable when or whether a system will hit this issue.

The boot issues caused by this bug will affect all Windows computers where the System Guard Secure Launch setting is enabled "regardless of whether the underlying hardware support for the feature is present," says Margosis.

To be more exact, the systems that could be affected by this issue are those were administrators have installed Microsoft Security Compliance Toolkit 1.0 and have enabled the System Guard Secure Launch (ConfigureSystemGuardLaunch) setting.

Furthermore, only users of the Windows 10 Education and Windows 10 Enterprise will be potentially impacted by this software bug, seeing that the ConfigureSystemGuardLaunch policy was added only to these two versions, while Home, Pro, and Business have been skipped so far.

Affected Windows 10 versions
Affected Windows 10 versions

The System Guard Secure Launch setting will protect the Virtualization Based Security environment from "exploited vulnerabilities in device firmware" on supported hardware configurations.

Microsoft is currently working on a fix which will be released through Windows Update, but since that will be available there is a workaround for customers impacted by this bug:

[..] customers who are affected may revert the “ConfigureSystemGuardLaunch” Group Policy setting to “Not Configured” or configure it to “Disabled” to alleviate this issue. This should be a temporary workaround until this issue is addressed in a Windows update.

Related Articles:

Microsoft: Windows Server 2019 updates fail with 0x800f0982 errors

Microsoft fixes VPN failures caused by April Windows updates

Microsoft says April Windows updates break VPN connections

Microsoft fixes bug behind incorrect BitLocker encryption errors

Recent Windows updates break Microsoft Connected Cache delivery