Microsoft warns: This Windows 10 workaround to cure Lenovo ThinkPad BSODs hits security
Microsoft has finally published a support document detailing its workaround for the August 2020 Patch Tuesday update for Windows 10 version 2004 that caused blue screens of deaths (BSODs) on newer Lenovo ThinkPads and broke Windows Hello biometric login.
Users started reporting issues after the cumulative August update KB566782 for Windows 10 version 2004 and affected Lenovo ThinkPads made in 2019 and 2020. However, Microsoft notes that the issue actually appeared in the July 31, 2020 KB4568831 (OS Build 19041.423) Preview.
Lenovo offered a workaround that involved disabling the Enhanced Windows Biometric Security setting in BIOS Setup in the security and virtualization settings section.
The issue occurred when Lenovo’s Vantage app for updating hardware drivers attempted to use the Intel Management Engine to interface with firmware, which got blocked by the BIOS setting in the security update.
Microsoft has now published a detailed rundown of the bug, its symptoms, cause and its workaround. It’s the same as Lenovo’s earlier workaround but comes with a stern security warning from Microsoft. Microsoft also explains how Lenovo Vantage violates Microsoft’s security controls in Windows.
Users might bypass the BSOD screen, but they are endangering their computers by implementing the workaround, according to Microsoft.
The workaround also affects some of Microsoft’s latest security features for Windows 10, such as Hypervisor Code Integrity for shielding the OS from malicious drivers, as well as Windows Defender Credential Guard.
“This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk,” Microsoft states.
Microsoft explains that devices with the July 31, 2020 KB4568831 (OS Build 19041.423) Preview or later updates “restrict how processes can access peripheral component interconnect (PCI) device configuration space if a Secure Devices (SDEV) ACPI table is present and Virtualization-based Security (VBS) is running”.
“Processes that have to access PCI device configuration space must use officially supported mechanisms,” it adds.
According to Microsoft, the new restrictions aim to prevent malicious processes from modifying the configuration space of secure devices, such as peripherals. Windows restricts device drivers from changing the configuration space of these devices to its own bus interfaces.
“If a process tries to access PCI configuration space in an unsupported manner (such as by parsing MCFG table and mapping configuration space to virtual memory), Windows denies access to the process and generates a Stop error,” Microsoft explains.
It adds: “When Lenovo Vantage software runs, some versions may try to access PCI device configuration space in an unsupported manner. This action causes a Stop error.”
The good news for affected ThinkPad users is that Microsoft and Lenovo are working together on a fix. However, Microsoft hasn’t said when that will be available.
The error codes affected users would see include: ‘SYSTEM_THREAD_EXCEPTION_NOT_HANDLED’ in the Stop error message screen, and ‘0xc0000005 Access Denied’ in memory dumps files and other logs. The associated process is ldiagio.sys.