Slow boot times and performance after you install Microsoft Windows April 2019 updates or later on a system with Endpoint Security

Technical Articles ID: KB91465
Last Modified: 7/15/2020

Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x
For affected Microsoft Windows versions, see KB91476.
Microsoft Windows April 2019 update KBs or later Windows monthly updates

Summary

Recent updates to this article

Date	Update
July 15, 2020	Minor formatting change.
June 13, 2019	Updated that ENS 10.5.5 May Update is General Availability.
May 16, 2019	Updated that this issue applies to Windows April 2019 update KBs or later Windows monthly updates.
May 14, 2019	Updated the Solution with the fixed in versions ENS 10.5.5 May Update and ENS 10.6.1 May Update.
April 24, 2019	Added a link to the Microsoft article with details about the fix for CSRSS included in the Windows April 2019 updates.

Problem

The following issues might occur after you install Windows April 2019 update KBs or later Windows monthly updates on systems with ENS:

Slow start times
Slow performance

Cause

Changes in the Windows April 2019 updates and later Windows monthly updates for Client Server Runtime Subsystem (CSRSS) introduced a potential deadlock with ENS.

Researching the effects of applying the Windows April 2019 updates or later in your environment:

McAfee confirmed issues in some scenarios after the Windows April 2019 updates or later are applied where user-defined Access Protection rules that protect services are present.

To identify user-defined Access Protection rules in ENS in ePO:
1. Log on to the ePO console.
2. Open the menu and choose Policy Comparison under the Policy section.
3. Select Endpoint Security Threat Prevention from the Product drop-down list. It defaults to the Access Protection policy type.
4. In the first column, select the McAfee Default policy.
5. In the second column, select the policy used in your environment.
  NOTE: If you use more than one policy, you must repeat these steps for each policy.
6. Choose Show Only Differences at the top of the screen. Access Protection rules that use the Inclusion status of Include and that have a Class type of Services could contribute to the behavior mentioned in this article. They can be set to report only, disable block, to alleviate these symptoms.
To identify user-defined Access Protection rules in ENS locally:
1. From the Windows notification area, right-click the McAfee icon and select McAfee Endpoint Security.
  NOTE: If a password is set, log on as an administrator to continue.
2. Double-click Threat Prevention.
3. Click Show Advanced.
4. Select Access Protection from the menu on the left.
5. Scroll down to Rules.
6. Review user-defined rules because these rules could contribute to the behavior mentioned in this article. Access Protection rules that use the Inclusion status of Include and that have a Class type of Services could contribute to the behavior mentioned in this article. They can be set to report only, disable block, to alleviate these symptoms.

Solution

If no user-defined Access Protection rules are present:

There are no identified conflicts with the Windows April 2019 updates or later.

If user-defined Access Protection rules are present:

Option 1: This conflict is resolved in ENS 10.5.5 May Update and ENS 10.6.1 May Update.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: https://www.mcafee.com/enterprise/en-us/downloads/my-products.html.

NOTE: You need a valid Grant Number for access. See KB56057 - How to download Enterprise product updates and documentation for more information about the Product Downloads site, and alternate locations for some products.
Option 2: Disable user-defined Access Protection rules identified by following the steps above.
NOTE: McAfee default Access Protection rules do not exhibit symptoms associated with the Windows April 2019 updates or later.

Related Information

For details about the fix for Client Server Runtime Subsystem (CSRSS) included in the Windows April 2019 updates, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0735.

Affected Products

Endpoint Security Threat Prevention 10.6.x
Endpoint Security Threat Prevention 10.5.x (EOL)
Known Issue/Product Defect

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Slow boot times and performance after you install Microsoft Windows April 2019 updates or later on a system with Endpoint Security

Environment

Summary

Problem

Cause

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Slow boot times and performance after you install Microsoft Windows April 2019 updates or later on a system with Endpoint Security

Environment

Summary

Problem

Cause

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title