Environment
- Cb Protection 8.0.0.2562 (Patch 6)
- Windows 10 (All builds and versions)
Symptoms
- Tamper Protection appears to block various aspects of Windows 10 upgrades.
- Endpoint will suffer a BSOD.
- Error messages in logs can include:
- \registry\machine\sp_hive_load_alias_software\microsoft\cryptography\oid\encodingtype 0\cryptsipdllcreateindirectdata\{000c10f1-0000-0000-c000-000000000046}\' by 'NT AUTHORITY\SYSTEM' was blocked.
- \registry\machine\software\wow6432node\microsoft\windows\currentversion\uninstall\{da971ca3-73aa-4a57-afb4-8155e72ceb96}\sestimatedsize2' by 'NT AUTHORITY\SYSTEM' was blocked because of Tamper Protection.
- Windows 10 upgrade will display "upgrade failed" error.
Cause
"Windows Hardening" Rapid Config has been changed to add a new section for blocking modifications to the registry keys that control which dll's are used to verify file signatures.
Resolution
- Verify that version 24 or later of the Rapid Config is running in the environment.
a. From the Cb Protection console, go to "Rules" > "Software Rules" > "Rapid Config" and edit "Windows Hardening". Ensure "Version" is at 24 or higher.
- Add "?:\$windows.~bt\sources\setuphost.exe" to the "Processes allowed to modify these registry keys" list.
Additional Notes
A permanent fix for this issue will be released in a later version of Cb Protection.
Thank you for your feedback.
Your feedback has been submitted and will be reviewed.