Determine the root cause of Windows update rendering PCs unbootable

Dozens of Windows 8.1 PCs across my environment show Fatal Error: C0000022 and cannot boot any further after installing either KB4541505 or KB4541509. Automatic Repair fails; they cannot be restored with System Restore; DISM cannot roll back the update due to the image being unserviceable, and /Cleanup-Image will fail; and deleting the SoftwareDistribution folder does not prevent the update initiating at boot.

I have unapproved the updates in WSUS, and am in the process of re-imaging the affected PCs. Is there any way I can find out what is going on? Fortunately, one of the PCs is currently spare so can be used as a test machine. If I put it back in this state then mount the HD on another PC, are there any logs I can examine?

Microsoft Error Lookup Tool gives 0xC0000022 as

  STATUS_ACCESS_DENIED                                          ntstatus.h
# {Access Denied}
# A process has requested access to an object, but has not
# been granted those access rights.

The error message that shows after the update reboot is truncated, but seems to be saying something about the registry. (\Regis...)

Also, if I find the cause, what is my next step? These KBs are March 2020 security updates. Whatever is causing this will presumably be included in the April 2020 Rollups. Never again patching Windows 8.1 machines isn't a viable option. Would opening a support ticket with Microsoft yield anything useful?

UPDATE:

I've managed to extract CBS.log from the test PC. I think the interesting part is here:

2020-03-19 11:11:44, Info                  CBS    Running poqexec with: C:\windows\System32\poqexec.exe /noreboot /commit_critical_poq /transaction 3496 /display_progress \SystemRoot\WinSxS\pending.xml
2020-03-19 11:11:44, Info                  CBS    Waiting for poqexec.exe to complete...
2020-03-19 11:11:44, Info                  CBS    Progress: UI message updated. Operation type: Update. Stage: 1 out of 1. Percent progress: 15.
2020-03-19 11:11:46, Info                  CBS    Progress: UI message updated. Operation type: Update. Stage: 1 out of 1. Percent progress: 17.
2020-03-19 11:11:47, Info                  CBS    Progress: UI message updated. Operation type: Update. Stage: 1 out of 1. Percent progress: 20.
2020-03-19 11:11:48, Info                  CBS    Progress: UI message updated. Operation type: Update. Stage: 1 out of 1. Percent progress: 24.
2020-03-19 11:11:49, Info                  CBS    Waiting for poqexec.exe to complete...
2020-03-19 11:11:49, Info                  CBS    Progress: UI message updated. Operation type: Update. Stage: 1 out of 1. Percent progress: 29.
2020-03-19 11:11:50, Info                  CBS    Failure in poqexec.exe while processing updates. [HRESULT = 0x80070005 - E_ACCESSDENIED]
2020-03-19 11:11:50, Info                  CBS    SQM: Reporting poqexec status with status: 0xc0000022, failed file: (null), interfering process: (null), context: Shutdown, first merged sequence: 583
2020-03-19 11:11:50, Info                  CBS    SQM: Upload requested for report: PoqexecStatus, session id: 142861, sample type: Standard
2020-03-19 11:11:50, Info                  CBS    SQM: Queued 5 file(s) for upload with pattern: C:\windows\servicing\sqm\PoqexecStatus_*_std.sqm, flags: 0x2
2020-03-19 11:11:50, Error                 CBS    Shtd: Failed while processing non-critical primitive operations queue. Non-critical primitives will be retried from SMSS. [HRESULT = 0x80070005 - E_ACCESSDENIED]

This lead me to poqexec.log which includes the following :

1d5fddf2c9822ce: 8b4, c0000022, 169d, 0, SetKeySecurity ;\Registry\MACHINE\System\CurrentControlSet\Control\Lsa

Does anyone know how to parse poqexec.log? c0000022 is the error; SetKeySecurity followed by a registry path seems self explanatory; but what about the other args?

Is there something I can check at this reg key?

UPDATE 2

After another go, I've also extracted pending.xml from the WinSxS folder. I think this part gives me more detail on the process

<SetKeySecurity path="\Registry\MACHINE\System\CurrentControlSet\Control\Lsa" securityDescriptor="binary base64:AQAUnJQAAACgAAAAFAAAABwAAAACAAgAAAAAAAIAeAAFAAAAAAIYAD8ADwABAgAAAAAABSAAAAAgAgAAAAoUAD8ADwABAQAAAAAAAwAAAAAAAhQAPwAPAAEBAAAAAAAFEgAAAAACGAAZAAIAAQIAAAAAAAUgAAAAIQIAAAACGAAZAAIAAQIAAAAAAA8CAAAAAQAAAAEBAAAAAAAFEgAAAAEBAAAAAAAFEgAAAA==" flags="0x00000001" />

I used the BinarySDToSDDL method of Win32_SecurityDescriptorHelper to parse the base64 using Powershell Invoke-CimMethod, which gave me this SDDL

O:SYG:SYD:PAI(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)(A;CI;KR;;;AC)S:AI

which is identical to the SDDL of this key prior to updating.

I don't know what the flags part of the XML means.