Windows Defender Update in Windows 10 and Windows Server 2016 prevents systems from starting with Secure Boot enabled. In addition, an activated AppLocker blocks downloads.
Within the KB article Microsoft meanwhile confirms a ‘know issue’ for this update. As soon as module version 4.18.1901.7 has been installed, Windows 10 and Windows Server 2016 no longer start when Secure Boot is activated. Microsoft is working on solving this problem and wants to release a fix in the future.
Workaround
Secure Boot issue in version 4.18.1901.7
- Restart the device, and enter the BIOS.
- Turn off Secure Boot, and then restart the device again.
- In an administrative Command Prompt window, run the following command:
“%programdata%\Microsoft\Windows Defender\Platform\4.18.1901-7\MpCmdRun.exe” -revertplatform - Wait for one minute, and then do the following:
Run sc query windefend to verify that the Windows Defender service is running.
Run sc qc windefend to verify that the Windows Defender binary no longer points to version 4.18.1901.7. - Restart the device, re-enter the BIOS, and then turn on Secure Boot.
AppLocker fix
Microsoft has changed the path to the updated Windows Defender module. This changed path blocks many downloads when AppLocker is enabled. To fix this issue,Microsoft suggests that you open the appropriate Group Policy.
Then allow the setting of policies for the following path:
%OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\*
Source : Microsoft