Multiple PCs getting stuck in boot loop

[TubsAlwaysWins]

Hello all, im a bit stumped on this one.

I have multiple different computers across a network that (at random) have been getting stuck in a boot loop. The message usually says 'Attempting to recover installation' followed by 'Undoing changes'. PCs wont ever leave the loop on their own.

In order to fix it I have been having to boot to Windows 10 USB installation media and changing the default operating system (Boot from specific Operating system > change default) where I am greeted with 3-5 different 'Windows 10 on volume X' images. Selecting the very last one on the list allows the computer to resume booting as normal. 

 

Any clue whats going on? I noticed this started happening right around the same time I did patches for PrintNightmare, but not sure what's causing it or where to start. 

Different models of PC at totally random times (Ie 3 broke at once and then a few days later another broke, and a few days later a different one)

Getting tired of recovering windows installs... 

 

Thanks

[Sprawlie]

I highly recommend booting to a safe USB stick that contains a malware scanner.

 

 

[TubsAlwaysWins]

8 minutes ago, Sprawlie said:

I highly recommend booting to a safe USB stick that contains a malware scanner.

 

 

I can try that. Each PC has Sophos A/V on it and I havent seen any detections so far... But who knows. I will do some digging.

Thanks

[Sprawlie]

What has me extremely EXTREMELY worried is this:

 

Quote

 where I am greeted with 3-5 different 'Windows 10 on volume X' images

 

This is not normal behaviour under almost any circumstances. Windows update doesn't cause this. 

 

This is caused by changes to the EUFI partition on your drive and the only reason I can see that happening without any interaction from you is something is manipulating your EUFI entries without your knowledge.

 

And since yo said it started right away when you tried to address Printnightmare, I'm very concerned as In my deployments of the patches and fixes accross hundreds of devices in a corporate environment, I have not seen that experience you are having on any devices at all.

 

Honestly, you should probably also unplug from your network these devices until you can be 100% certain they weren't infected by something. Sadly, a lot of infections if they make it past your AV can render your AV useless.

(hope I'm wrong about the cause of this isssue)

[TubsAlwaysWins]

52 minutes ago, Sprawlie said:

What has me extremely EXTREMELY worried is this:

 

 

This is not normal behaviour under almost any circumstances. Windows update doesn't cause this. 

 

This is caused by changes to the EUFI partition on your drive and the only reason I can see that happening without any interaction from you is something is manipulating your EUFI entries without your knowledge.

 

And since yo said it started right away when you tried to address Printnightmare, I'm very concerned as In my deployments of the patches and fixes accross hundreds of devices in a corporate environment, I have not seen that experience you are having on any devices at all.

 

Honestly, you should probably also unplug from your network these devices until you can be 100% certain they weren't infected by something. Sadly, a lot of infections if they make it past your AV can render your AV useless.

(hope I'm wrong about the cause of this isssue)

Well the good thing is it is limited to this one network and not all my endpoints... we rolled out patches basically day 1 for Print Nightmare so who knows. I will keep digging and see what I find.