Jan 18 2021 09:46 AM
Jan 18 2021 09:46 AM
We started rolling out KB4598230/KB4598242/KB4598229 last week, since when we have seen widespread BSOD crashes with CRITICAL PROCESS DIED errors, and nothing useful in the crash dump.
The same happens on many of our laptops with the equivalent patches (e.g. KB4598242, KB4598229)
This issue on Server 2019 occurs every time one of our servers tries to do a VSS snapshot. This isn't the only time it happens - I watched both my file servers BSOD within 5 minutes this morning, not at the VSS snapshot time, but one does it reliably at the schedule VSS time (and no snapshot is created).
On the laptops, as an aside, it is very hard to tell what makes the systems crash - on 1909 systems, randomly updating drivers seems to solve the problem (but there is no commonality between the systems in terms of what gets updated, so the 'fix' is likely a side-effect). On my 20H2 laptop I was able to remove KB4598242, which is in the same release as the server patch above, and my machine stopped crashing. Installing it again brought the crashing back, *but* downloading from the microsoft update store and installing manually worked, no crashes).
This feels like a major issue with this patch delivery - there are almost no commonalities between the systems, they're all different versions of Windows 10/Server 2019 with almost no common software - the only thing that is common is Webroot and Senseon (a security product, which I have removed, but the server still crashes). It could be an interaction with Webroot, but I would have expected more people to have reported issues if so?
Anyone else seeing the above? I have found two posts on other forums from people with the problem on different versions of W10, but none for Server 2019 - one of those suggested removing the patch and installing manually, which worked on my laptop, and I may try on the server.
Jan 26 2021 03:07 AM
We are also now seeing the same crashes with machines that have
2021-01 Cumulative Update Preview for Windows 10 Version 1909 for x64-based Systems (KB4598298)
We're pretty stumped. I am going to try to induce the problem on a spare laptop and set it to do full crash dumps for analysis (the minidumps have nothing in them)
Jan 28 2021 01:59 AM
For anyone who comes looking, we tracked this down to Webroot Anti-Virus. It looks like MS did something to VSS in these patches. On affected machines, any snapshot operation seems to cause a crash in C:\WINDOWS\system32\drivers\wrkrn.sys
Webroot have offered a work-around involving turning off some protections temporarily, but so far we're struggling to definitively prove that these work (and have at least one case where they don't). Holding out for a proper solution.
Apr 30 2021 05:00 AM
@Robertoey did you get this solved? We started seeing this today again on Server 2019 with WR. This has been an ongoing battle where it seems the issue is solved and we re-enable VSS. After some time it crops up again.
WR also offered us the same solution to disable Infared or some other things in the scanner. I have not reopened a ticket with them as yet. Most likely going to be migrating off WR soon.
Apr 30 2021 08:09 AM
@jasssie making the suggested changes from support definitely fixed the issue for us. I had another start crashing last week, and it turned out not to have had the correct WR policy applied - doing so fixed it.
I note that a few of my systems now have a newer version of the agent installed, which I assume is the version with the fix in for this issue, but WR support have not contacted me to confirm that, nor does it look like it is rolling out to all our systems, so perhaps they're pushing it to a proportion first. I am about to contact them to ask what is going on.
I don't want to change AV, as it is a pain to do, and WR is cost-effective and works well, until now, but this poor support is pretty annoying.