Microsoft patches crash Dell Data Protection-Encryption and CMGShield

Black Tuesday patches cause blue screens of death on DDP-E encrypted machines, black recovery screens for CMGShield

Current Job Listings

It appears as if installing a group of patches in this month's Black Tuesday crop causes BSODs on PCs encrypted with Dell Data Protection-Encryption or forces CMGShield-protected PCs into a lockup, with a black recovery screen. Although Dell posted information identifying the problem late Thursday in Quick Tip 653764, there's still no word on precisely which Black Tuesday patches trigger the anti-tampering lockout. There's a fix, but it's complex.

Dell says the problem occurs on Windows 7 and 8 PCs with CMG or DDP-E, either Enterprise or Personal Edition. Dell has heard -- as have I -- that "applying the patches individually instead of in a group causes the anti-tampering protections to not be tripped. Dell is working on confirming this hypothesis."

That was Thursday, this is Monday, and Dell hasn't yet confirmed the hypothesis. We know that at least one Black Tuesday patch triggers the freeze, and it's likely that more than one has to be applied at the same time -- but we don't know which patches or in what order.

The whole situation is reminiscent of a similar problem with KB 2506143, a Windows Management Framework 3.0 Black Tuesday patch from January of this year, which similarly locked up and kept DDP-E users out of their machines. Dell describes the problem in Quick Tip 642141. Dell had to change and re-release DDP-E to fix the problem.

Dell describes the earlier KB 2506143/QT 642141 problem this way:

The update alters the Windows operating system environment in a way that triggers the built-in OS attack prevention. At this point, the OS cannot load the registry and allow Windows to load properly. ...

System Data Encryption must be able to open its key while the operating system is booting, without intervention of a password by the user. The SDE policy's intent is to prevent alteration or offline attacks on the operating system by an attacker. SDE is not intended for user data. Common and user key encryption are intended for sensitive user data because they require a user password in order to unlock encryption keys.

While we haven't heard anything from Dell about the details of the current problem, QT 653764, it sounds very similar to the older problem, QT 642141. If the two turn out to be related, it raises the question of why Dell didn't see -- and warn about -- the problem the minute this month's Black Tuesday patches hit the ether.

The new support article, QT 653764, has an abbreviated description of how to run an SDE recovery to get clobbered machines back working. There's a much more detailed explanation in the old Quick Tip 642141.

Credant Technologies, which Dell acquired in December 2012, continues to support DDP-E and CMG. If you have customers who've encountered this problem, Credant asks that you collect the pertinent data -- Shield version, updates that were applied, OS version, service pack, 32- or 64 bit, Office versions -- and send the information to the Dell Credant team.

This story, "Microsoft patches crash Dell Data Protection-Encryption and CMGShield," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.