Windows Server 2019 Black Screen and Unresponsive After KB5041578

Photo of author
By Jeff LeBlanc

After applying August security update KB5041578, Windows Server 2019 systems may experience black screens during login or other performance issues.

Microsoft has confirmed this on their website.

“After installing this security update, you might observe that some Windows Server 2019 devices experience system slowdowns, unresponsiveness, and high CPU usage particularly with Cryptographic Services. 

A limited number of organizations reported that the issue was observed when the device was running an Antivirus software which performs scans against the ‘%systemroot%\system32\catroot2’ folder for Windows updates, due to an error with catalog enumeration. 

Our investigations so far indicate that this issue is limited to some specific scenarios. If your IT environment is affected, you might observe that your devices:

  • Freeze or hang
  • Show increased CPU utilization
  • Experience increased disk latency / disk utilization
  • Indicate degraded OS or application performance
  • Show the CryptSVC service fails to start
  • May boot into a black screen
  • Experience slow to boot

Microsoft Solution:

This issue was resolved using KIR. To apply the KIR, please refer to the resolution details in the Windows release health size for this issue.”

For more information on rolling back an update using the KIR process, see https://learn.microsoft.com/en-us/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy-known-issue-rollback.

Additional Notes from the Field

In my customer’s case, they experienced black screens, high CPU utilization and extreme slowness logging on to their 2019 servers.

Microsoft isn’t very specific in their article on the software that may be running where you might experience this issue.

If you have Windows Defender installed (default on Server 2019) and another security solution such as Crowdstrike running at the same time, you may experience this issue.

Solution is to either:

  • Roll back the update using KIR or command line/script
  • Uninstall Windows Defender

When Windows installs, it installs 4 services for Windows Defender.

  • Windows Defender Advanced Threat Protection Service
  • Windows Defender Antivirus Network Inspection Service
  • Windows Defender Antivirus Service
  • Windows Defender Firewall

The problem services are the middle two Windows Defender Antivirus Network Inspection Service and Windows Defender Antivirus Service when you are also running another solution for AV. The Defender Network Inspection Service and AV services are not needed at that point as the other software is handling these functions.

If you want to keep the monthly Security Update installed and determine you don’t need Windows Defender AV running on your servers because you have another solution in place, you can remove Windows Defender using PowerShell command line:

Uninstall-WindowsFeature -Name Windows-Defender

After running the uninstall you will need to reboot the server to complete the removal and will be left with just the Windows Defender Advanced Threat Protection Service and the Windows Defender Firewall services.

Hope this helps!

Leave a Comment