Defender for Endpoint causes issues with Windows 10 20H2 clients (April 26, 2022)

Windows[German]Does Word take an unusually long time to start on Windows 10 clients? Does the Windows 10 20H2 client go into black screen for 2 minutes or more after user login? Or does the event viewer seem to hang when loading events? These and similar effects can be caused by Microsoft Defender for Endpoint. Let me summarize some information.


Advertising

Review: Defender signatures as a problem

In early April 2022, I had reported here on the blog about an observation made by blog reader Markus K. in connection with Microsoft Defender for Endpoint. Markus had emailed me to inform me that, in his environment, RAM usage on some Windows Server systems could become rampant and affect ongoing operations.

After I had raised the issue more than once in the blog post Defender signatures cause extreme RAM usage (April 2022) in my German and English blogs, a couple of administrators confirmed the issue. The conclusion from the post was that a signature update of Microsoft Defender for Endpoints and a reboot fixed the problem for most people. This update reduced the old signature update file, which was quite large in some cases, to a tolerable level – the details can be read in the linked blog post.

Windows 10 trouble, it's not over yet

I had forgotten the issue for myself, especially since I had confirmation from people affected that a signature update and reboot fixed existing problems. By chance I looked into the patchmanagement.org mailing list two days ago and saw the following post. There, Markus Klocker reports serious effects under Windows 10 20H2 on April 26, 2022:

Strange effects on clients 20H2

We observe various issues like:
– black screen after login (2 minutes and longer) and goes away at some
point
– Word is not opening or takes a very long time
– Event viewer seem stuck loading events (remote and local)
– the diagnostic performance log shows indicate very long startup times
In most cases rebooting several times helps. On some clients the
problems don't go away.
Those effects somehow arose around  the time of March patches and are
present after patching the client. Uninstalling April and March have no
effect though.
Nothing of interest in the event logs of the clients affected. We
estimate ~3% of the devices are affected.
We're a bit at loss here what to make of that.
Anyone with similar oddities?

From a black desktop after a user logs in that can last two minutes or longer, to Microsoft Word starting extremely slowly, to problems with the event viewer or the diagnostic performance logs, it's all there. Markus wrote that only around 3 percent of his clients were affected. Since I've been in contact with blog reader Markus for a long time, I'm roughly familiar with his environment, which he manages as an administrator.

My first thought was that an update was playing into this – after all, the preview updates for April 2022 fixed such bugs. But Markus wrote that uninstalling updates didn't change the behavior. In another post, he still replied in the mailing list that all affected clients were upgrades from older Windows 10 versions.


Advertising

Signature updates help temporarily

Then Markus had contacted me by mail on Friday afternoon, because he got one step further. In his short mail he mentioned that in his environment the problem from the blog post Defender signatures cause extreme RAM usage (April 2022) was back again and added:

seems to affect more or less everyone.
In any case, our RAM consumption increased continuously after the update.
Looks like mem leak.

we have our friend the Defender really very much…
– MS-Word (2016 or 2019 CTR) won't start => Update-MPSignature and everything works again in no time.
– Eventlog not visible (remote and local) => Update-MPSignature and everything works again in no time.
– SAP does not want to start => Update-MPSignature and everything works again in no time

Markus can't imagine that this behavior is a special problem caused by one of the used GPO settings for Defender. There he wants to look again. Also, in his environment only a few computers are affected (~50-100 out of over 7000). But this behavior generates an immense effort for the administrators. At the same time Markus wrote the following text in the patchmanagement.org mailing list.

We found that running Update-MPSignature seems to fix all the problems
even there is no signature update for Windows Defender.
The problems also were reproducible on a freshly installed machine with
all patches installed.
Also SAP won't start and can be fixed by updating the signatures.
Affected are a number between 50 and 100 machines per day (always
different machines).
We do not know if other programs are affected as well. So feedback if
similar is observed would be nice.
Jet another Windows Defender update fail?

Currently it seems to affect only a few users. However, I have posted it here in the blog, and ask whether anyone else is affected.

Similar articles:
Microsoft Defender falsely detected Office updates as ransomware activity (03/16/2022)
Microsoft Defender falsely reports Trojans on Dell computers (March 2, 2022)
Defender signatures cause extreme RAM usage (April 2022)
Microsoft warns of (fixed) Defender spoofing vulnerability
Windows 10: Unwanted reboots due to Microsoft Defender Application Control (WDAC)
Microsoft probably secretly fixes vulnerability in Defender under Windows
Windows Defender: Fixes, Issues and Log4j scanner false alarms
Microsoft Defender Version 1.353.1874.0 version 1.353.1874.0 incorrectly reports Emotet
Got lost in Defender? There is something like a Defender Cheat Sheet available!


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in issue, Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *