Device42 – Official Blog

Towards a Unified View of IT Infrastructure | The Official Device42 Blog

Articles

Proactively Isolating and Resolving Major Incidents Including KB5040442 and KB5040427 Before They Impact End Users

Proactively Isolating and Resolving Major Incidents Including KB5040442 and KB5040427 Before They Impact End Users

Another upgrade incident has been identified, only a week after the well-publicized CrowdStrike Falcon update incident that caused Windows machines to immediately blue screen, resulting in significant frustrations and financial losses to customers globally. In this recent case, a Microsoft security update (KB) causes the BitLocker recovery screen to appear when rebooting the Windows Machine, yet again locking users out of their systems and requiring IT staff to restore production environments. The updates causing this issue are KB5040442 and KB5040427, released on July 9, 2024**.

According to the Microsoft technical note*, the device will start up normally after reboot. However, IT administrators will need to obtain their BitLocker recovery key by logging into the portal with their Microsoft account and entering the recovery key. Since the BitLocker issue arises after installing these KB updates on affected Windows operating systems, IT administrators who follow IT Asset Management best practices are well-positioned to mitigate potential impacts in their corporate IT environments. They can proactively isolate and address issues by quickly uninstalling these updates or informing users about recovery procedures for machines that have not yet rebooted or have not yet encountered the problem. Additionally, IT administrators can identify unresponsive Windows machines similar to the CrowdStrike blue screen scenario, and initiate a recovery process before users report issues.

Looking at the Microsoft technical details*, the impacted environments are those with the July 2024 KB5040442 or KB5040427 updates installed and the following operating system versions:

  • Windows 11 versions: 23H2, 22H2, and 21H2
  • Windows 10 versions: 22H2 and 21H2
  • Windows Server versions: 2022, 2019, 2016, 2012 R2, 2012, 2008 R2, and 2008.

In Device42, the impacted machines could be quickly isolated in the Software Assets/Components views which list installed applications across the different devices in the IT environment.

Further drill down into the Windows 10 and 11 impacted machines in total identified as containing the KB update, will help the IT team to find the specific devices, locations, users and when these security updates have been installed:

The CMDB query that will identify and isolate these machines can also be used to generate quick reports or combine with additional CMDB data such as locations, application dependencies and impacted users to help guide the IT team in forming their action plan to mitigate risks:

Another effective approach is to identify non-responsive hosts in the latest discovery scan or those running on specific operating systems associated with the impacted environments. This technique enables IT organizations to act proactively and address incidents well before they impact end users or help contain the problem once identified. The techniques for utilizing the CMDB to significantly accelerate incident and problem resolution are covered in “How Effective IT Asset Management Accelerates Response and Resolution of the CrowdStrike Falcon Sensor and Similar Incidents

Sources:

*https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23h2#devices-might-boot-into-bitlocker-recovery-with-the-july-2024-security-update

**https://www.neowin.net/news/kb5040442–kb5040427-microsoft-confirms-windows-pcs-boot-into-bitlocker-recovery/

Share this post

Ido Benmoshe
About the author

SVP, Product Management
Device42, A Freshworks Company