CPU Drops on VM running EDR Core after update

S_Matt · October 2023

Hi, figured I would ask here to see if anyone else is having a similar issue before opening a support case. Sorry for the long post.
As it stands, I have had to remove EDR Core from all my Server 2022 VM’s (running on ESXi 8) as this issue makes them unusable unless I remove the software.

So, I initially migrated from TDR to EDR Core a few months ago with no problems. All my servers/workstations changed from having the TDR agent installed to running the EDR Core agent and were running fine. For background, I also have Trellix Endpoint Security running on my servers and have the exceptions added in EDR and Trellix for both. I am also only running Exploit protection using Trellix and have this disabled in EDR. Window's Defender is not installed.

All the severs were running fine with no performance issues until (and I don't know if this was the cause but can only say what has installed/changed when I noticed the issues started happening) - update 2023-09 Cumulative for Microsoft Server Operating System Version 21H2 installed and/or the recent EDR Agent update installed. At which point once the server reboots and you login, the CPU drops dramatically, runs at between 100-350 mhz and the server becomes unresponsive.

If you reboot the server and do not login, the server runs fine (so DC’s can service clients, run group policy, file shares work etc..) but as soon as you login and EDR tries to load (the EDR agent icon never appears on the toolbar), it locks up, the CPU drops, and the machine locks up. No matter how long you leave the server, it remains in that state. Forcing the server to power off and on again is the only thing I can do, and after a reboot, logging in normally again results in the same problem with the EDR Agent not loading, the CPU dropping and the server being unusable.

To resolve this and ensure the servers are usable, (after a lot of testing different things) I reboot the server into safe mode, run msconfig to disable the WMI service and then reboot again. With the WMI service disabled, I can login to the server with no issues, the EDR agent loads as normal and then I am then able to uninstall the EDR agent. Once uninstalled, run msconfig again to switch to Normal startup again (which enables the WMI service), reboot, and the server is back to normal minus EDR.

I have a feeling its more related to the EDR Core Agent updates than the MS Cumulative update as I had the issue this morning with another 2022 server which had been running fine up until a reboot today. The MS update 2023-09 update installed on the 14th September and EDR Core was installed before this – both ran together with no issues. I rebooted the server this morning for maintenance and when it came back up, I had the CPU drop issue I mentioned above start happening before the EDR agent tries to load. I have my EDR Policies on Servers to install the updates, but not reboot automatically, so EDR would not have updated until the reboot this morning.

Anyone using EDR Core had any similar issues? Can’t believe it would just be me?