Windows Server 2019: VM dops BSOD due to Windows Defender

Windows[German]German blog reader Carsten W. has already pointed out to me a few days ago a problem that was bothering him a bit. A virtual machine with Windows Server 2019 running under VMware ESX had gone bye-bye with a blue screen and also did not boot anymore. The cause is Windows Defender.

I publish the information, I got it from Carsten, as is within the blog, maybe it helps someone.

Yesterday a Windows Server 2019 VM (VMware ESX) died here with BSOD and also did not come up again. After displaying the graphical interface sooner or later BSOD. Here is the error message of the VM.

————-

Windows 10 Kernel Version 17763 MP (2 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory.  The guilty driver is on the stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver.

PROCESS_NAME:  MsMpEng.exe

MODULE_NAME: WdFilter

IMAGE_NAME:  WdFilter.sys

The filter driver and the MsMpEngine are involved. Carsten then also writes about the cause, that it was the Windows Defender and adds the following:

Remedy:
– Boot in safe mode with network drivers.
– Use sysinternals autoruns (Admin-Mode) to disable the service "WinDefend". deactivate (uncheck)

After that the system starts normally again without BSOD.

– WinDefender version was: 5.87, installed on 23.04.2021
– last Windows updates were from 27.01.2021

He updated the server to the latest patch level, and the system is up and running again. The Windows Defender service was also automatically startet and the Defendere has now the WinDefender version 5.90.

Addendum: On Facebook I got a feedback from an affected administrator, that the issue has happended only on VMware ESXi, not on Hyper-V wie Windows Server VM guests.

This entry was posted in issue, Virtualization, Windows and tagged , , . Bookmark the permalink.

3 Responses to Windows Server 2019: VM dops BSOD due to Windows Defender

  1. Mathew Pearson says:

    i think this is happening to me also, on 4 separate VMs.

    ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
    An attempt was made to write to readonly memory.
    CUSTOMER_CRASH_COUNT: 1

    PROCESS_NAME: MsMpEng.exe

    MODULE_NAME: WdFilter

    IMAGE_NAME: WdFilter.sys

    The difference here is that our VMs reboot, all the services go back up, and our apps all work fine, then they blue screen again at some random time.

    Since the systems boot i am going to try updating all the latest patches and Windows Defender.

  2. Brian says:

    Hi Mathew,
    Did the system updates solve your issue?
    We are seeing the same situation as you on several VMs.

  3. TCT says:

    I can confirm this also happens on Hyper-V. I have applied the latest patch levels as of today so we'll see if it resolves the issue. This is happening on all of my Windows 2019 VM servers at random times.

Leave a Reply to Brian Cancel reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).