Stop error on Lenovo ThinkPad that has KB4568831 or a later update and Enhanced Windows Biometric Security enabled in UEFI

Applies to: Windows 10 version 2004 all editions

Important
This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.

Symptoms

You have a Lenovo ThinkPad device that has received the July 31, 2020—KB4568831 (OS Build 19041.423) Preview update or a newer update. The device also has Enhanced Windows Biometric Security enabled in the UEFI, and it runs Lenovo Vantage software.

The device experiences a Stop error (also known as a bugcheck or blue screen error). The codes that are associated with the error are “SYSTEM_THREAD_EXCEPTION_NOT_HANDLED” (in the Stop error message screen) and “0xc0000005 Access Denied” (in memory dumps files and other logs). The associated process is ldiagio.sys.

Cause

Windows devices that receive July 31, 2020—KB4568831 (OS Build 19041.423) Preview or newer updates restrict how processes can access peripheral component interconnect (PCI) device configuration space under specific conditions. Processes that have to access PCI device configuration space must use officially supported mechanisms.

Enabling the Enhanced Windows Biometric Security option in the UEFI of Lenovo ThinkPad devices that were manufactured in 2019 or 2020 meet the conditions that trigger this behavior. When Lenovo Vantage software runs, some versions may try to access PCI device configuration space in an unsupported manner. This action causes a Stop error to occur.

Workaround

Warning
This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

To temporarily mitigate this problem, edit the device UEFI configuration (in the Security > Virtualization section) to disable Enhanced Windows Biometric Security. This change disables the restrictions that are enabled by the SDEV table and VBS.

Status

Lenovo and Microsoft are working on a fix for this problem. For updated Lenovo Vantage support information about this problem, see Lenovo HT511000.

More information

Windows devices that receive the July 31, 2020—KB4568831 (OS Build 19041.423) Preview or later updates restrict how processes can access peripheral component interconnect (PCI) device configuration space if a Secure Devices (SDEV) ACPI table is present and Virtualization-based Security (VBS) is running. Processes that have to access PCI device configuration space must use officially supported mechanisms.

The SDEV table defines secure hardware devices in ACPI. VBS is enabled on a system if security features that use virtualization are enabled. Some examples of these features are Hypervisor Code Integrity or Windows Defender Credential Guard.

The new restrictions are designed to prevent malicious processes from modifying the configuration space of secure devices. Device drivers or other system processes must not try to manipulate the configuration space of any PCI devices, except by using the Microsoft-provided bus interfaces or IRPs. If a process tries to access PCI configuration space in an unsupported manner (such as by parsing MCFG table and mapping configuration space to virtual memory), Windows denies access to the process and generates a Stop error.

Enabling the Enhanced Windows Biometric Security option in the UEFI of Lenovo ThinkPad devices that were manufactured in 2019 and 2020 enables an SDEV table. When Lenovo Vantage software runs, some versions may try to access PCI device configuration space in an unsupported manner. This action causes a Stop error. The error is typically displayed as described in the “Symptoms” section.

Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Third-party contact disclaimer
Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.

Source: https://support.microsoft.com/en-au/...ter-update-and

Posted By: Brink
17 Sep 2020