Microsoft acknowledges that Windows 10 KB4568831 update is crashing Lenovo ThinkPads

If you have installed KB4568831 for Windows 10 on your Lenovo ThinkPad, you may well have encountered the crashing issues caused by the update. Those affected by the problem have been hit by SYSTEM_THREAD_EXCEPTION_NOT_HANDLED error messages, and 0xc0000005 Access Denied messages in log files and memory dumps.

Microsoft has now acknowledged that there is an issue and has offered details of a workaround -- although you may want to think about whether you really want to follow the mitigation advice because of the security implications.

See also:

• Microsoft is forcing the new Edge on users with KB4576754 update for Windows 10
• Windows 10 KB4571756 update is causing 'Element not found' errors in Windows Subsystem for Linux 2
• Microsoft has removed a useful driver updating feature from Windows 10

In a support document on its website, Microsoft confirms the issue and explains what is happening. The company says that devices that receive the KB4568831 update "restrict how processes can access peripheral component interconnect (PCI) device configuration space under specific conditions. Processes that have to access PCI device configuration space must use officially supported mechanisms".

Microsoft goes on to explain:

Enabling the Enhanced Windows Biometric Security option in the UEFI of Lenovo ThinkPad devices that were manufactured in 2019 or 2020 meet the conditions that trigger this behavior. When Lenovo Vantage software runs, some versions may try to access PCI device configuration space in an unsupported manner. This action causes a Stop error to occur.

This is in line with what Lenovo says on its own support pages where the company warns:

After installing the August 2020 cumulative update for Windows 10 Version 2004, users may notice one or more of the following symptoms:

• Blue Screen of Death (BSoD) when booting
• Blue Screen of Death (BSoD) when starting Lenovo Vantage
• Blue Screen of Death (BSoD) when running Windows Defender Scan
• Can't login by Face with Windows Hello
• Errors in Device Manager related to Intel Management Engine
• Errors in Device Manager related to IR Camera

The workaround suggested by Microsoft is to edit the device UEFI configuration to disable Enhanced Windows Biometric Security -- look in the Security > Virtualization section. The company notes that "this change disables the restrictions that are enabled by the SDEV table and VBS".

Microsoft also says that it is working with Lenovo to come up with a proper solution to the problem.

Image credit: hh / Shutterstock