Share via

Microsoft Teams instability with Forcepoint DLP and SentinelOne coexistence

Maher Hawary 0 Reputation points
2026-05-11T08:30:13.9733333+00:00

Dear Microsoft Support Team,

We are currently experiencing a significant issue involving Microsoft Teams in an environment protected by SentinelOne EDR and Forcepoint DLP Endpoint.

Issue Summary:
When Forcepoint DLP is installed and active, Microsoft Teams becomes unstable and frequently crashes or fails to initialize properly. Endpoint performance also becomes noticeably degraded.

Observed behavior includes:

  • Teams crashing or becoming unresponsive
  • Teams failing to launch correctly
  • Poor endpoint performance after login
  • Users needing to manually clear the Teams cache daily in order to temporarily restore functionality

Important findings:

  • If Forcepoint DLP is disabled or uninstalled, Teams immediately works normally again
  • SentinelOne remains active during testing and does not appear to cause the issue independently
  • SentinelOne exclusions for Forcepoint components are already configured

At this stage, the issue appears related to Forcepoint DLP interaction with Teams and/or Microsoft Edge WebView2 processes.

We understand that broad exclusions for Teams/WebView2 are commonly recommended; however, implementing all required exclusions would create a major security concern for our environment, as it would significantly reduce the effectiveness of both the DLP and EDR solutions in protecting sensitive data and endpoints.

We would appreciate Microsoft’s guidance regarding:

  • Recommended secure coexistence practices for Teams with DLP/EDR products
  • Whether there are known issues involving Teams, WebView2, and third-party DLP inspection
  • Recommended minimal exclusions or trusted process configurations that maintain both functionality and security
  • Any logging or diagnostic recommendations to help isolate the root cause

We can provide additional logs, crash dumps, versions, and reproduction details if required.

Best regards,

[Moderator note: personal info removed] 

Microsoft Teams | Microsoft Teams for business | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Demi-N 16,340 Reputation points Microsoft External Staff Moderator
    2026-05-11T09:02:50.2033333+00:00

    Hello @Maher Hawary,

    Thank you for sharing such detailed information about the behavior you’re experiencing.

    Based on your description, this does appear to be a more complex interaction between Microsoft Teams and third‑party security tools such as Forcepoint DLP. At this time, there is no official Microsoft documentation or confirmation that this is a known issue, especially in relation to the coexistence scenario you described.

    Given the nature and impact of the issue (including crashes, performance degradation, and dependency on cache clearing), the best next step would be to open a Microsoft Support ticket. This will allow the engineering team to collect and analyze backend logs, including the correlation between Teams, WebView2, and endpoint security processes.

    Because this type of investigation requires access to service‑side telemetry and diagnostic data, it cannot be fully analyzed from the client side alone.

    When creating the ticket, I would recommend including:

    • A summary of your observed behavior
    • The correlation with Forcepoint DLP being enabled/disabled
    • Any timestamps and affected users/devices
    • Logs or crash data, if available

    This will help the support team investigate more efficiently and determine whether there is a compatibility issue or configuration consideration. You can create a support ticket by following the steps here:

    User's image

    • Then you can type "I need agent support via phone or email" and click on "Contact support" 
    • Choose contact method: "Phone" 

    User's imageUser's image

    • Fill all the information in this contact support details, please describe your situation carefully so they will have enough information to help you.  
    • Finally, clicking on "Contact me"  

    User's image

    When you open a support ticket, please make sure to turn off the Support Assistant (AI) in the help panel.    

    Several customers have reported issues when the Support Assistant is turned on the system sometimes fails to display the “Contact Support” option.    

    As shown in the screenshot, simply switch Support Assistant > Off, then type your issue description.  Once the AI is off, the “Contact Support” button will appear normally, allowing you to submit a ticket directly. 

    User's image

    Please note that creating a support ticket requires administrator permissions. If you are not an admin in your organization, I would recommend reaching out to your IT administrator and asking them to open the ticket on your behalf.

    Please let me know if you need guidance on opening the support request or preparing the details. I’ll be happy to assist.

    Kind regards,

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

    0 comments
  2. Q&A Assist
    2026-05-11T08:30:39.12+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The described behavior matches known issues where third-party DLP/EDR components inject DLLs into Microsoft Teams and Microsoft Edge WebView2 processes, causing instability, crashes, and degraded performance.

    Key points from documented behavior

    • Third-party antivirus, reliability monitoring, and DLP tools can interfere with the Teams desktop client and Edge WebView2, degrading performance and causing unexpected exits or launch failures.
    • Forcepoint DLP is explicitly listed among applications that might block Teams or cause it to fail.
    • A number of injected DLLs are known to affect the Teams desktop client and WebView2; these should be checked and controlled.
    • Teams “client crash” issues are a known category in the Teams client health dashboard, and one of the primary mitigations is ensuring that antivirus and DLP tools do not block Teams and WebView2 processes.

    Recommended secure coexistence practices

    1. Minimize but do not completely remove inspection
      • Instead of broad, blanket exclusions at the engine level, use targeted process- or DLL-based allowlisting for Teams and WebView2 where possible.
      • For classic Teams, the minimum core processes that should be allowed (or excluded from intrusive inspection such as code injection, API hooking, or inline content modification) are:
        • C:\Users\*\AppData\Local\Microsoft\Teams\current\teams.exe
        • C:\Users\*\AppData\Local\Microsoft\Teams\update.exe
        • C:\Users\*\AppData\Local\Microsoft\Teams\current\squirrel.exe
        • C:\Users\*\AppData\Local\Microsoft\TeamsMeetingAddin
      • Configure Forcepoint and SentinelOne so that these processes are not subjected to DLL injection or behavior-modification hooks, while still allowing file- and network-level inspection where the product supports that separation.
    2. Control known-problematic DLL injection
      • Forcepoint DLP is listed as an application that might block Teams or cause it to fail. In addition, Microsoft documents a set of DLLs that are known to affect the Teams desktop client and Edge WebView2.
      • Recommended actions:
        • Enumerate loaded modules (DLLs) in teams.exe and WebView2 processes on affected endpoints.
        • Compare against the documented list of DLLs that might affect Teams and WebView2 and any Forcepoint-related DLLs.
        • In Forcepoint and SentinelOne, configure policies to prevent those DLLs from being injected into Teams/WebView2 processes, or move them to a less intrusive inspection mode for those processes.
    3. Treat Teams/WebView2 as trusted UI/runtime processes
      • Where the DLP/EDR solution supports it, configure Teams and WebView2 processes as “trusted” or “protected” applications rather than fully inspected/untrusted ones. This typically:
        • Reduces or disables API hooking and code injection into those processes.
        • Still allows content inspection at file, clipboard, or network layers, depending on product capabilities.
      • This approach balances stability with security by avoiding the most disruptive inspection techniques while maintaining DLP coverage.

    Known issues and interactions

    • Microsoft explicitly notes that non-Microsoft antivirus and DLP tools can cause the Teams app to exit unexpectedly and degrade performance, especially when they interfere with Edge WebView2.
    • Forcepoint DLP is in the list of applications that might block Teams or cause it to fail, which aligns with the behavior observed when Forcepoint is enabled.

    Minimal exclusions / trusted process configuration Within the constraints of the documented guidance, the minimal and more secure approach is:

    1. Add the core Teams executables (above) to an allowlist or low-interference profile in Forcepoint and SentinelOne, specifically for:
      • Code injection / DLL injection
      • API hooking
      • Inline traffic modification within the Teams/WebView2 processes
    2. Verify and, if necessary, restrict or remove injection of any DLLs from the documented “Other DLLs that might affect Teams desktop client and Edge WebView2” list into Teams/WebView2 processes.
    3. Avoid broad, system-wide exclusions; keep changes scoped to the Teams and WebView2 processes and only to the intrusive inspection features that are known to cause instability.

    Logging and diagnostics to isolate root cause

    1. Use Teams client health and WER
      • Use the Teams client health dashboard (if available in the tenant) and look for issues categorized as Client crash.
      • For each crash, check the Insight column to see if the issue is associated with media stack technology failure or third-party interference.
      • Enable Windows Error Reporting (WER) as recommended to capture detailed crash information and help identify whether injected DLLs or hooks are involved.
    2. Correlate DLP/EDR events with Teams crashes
      • On affected endpoints, collect:
        • Forcepoint DLP endpoint logs around the time of Teams launch and crash.
        • SentinelOne EDR logs for process and module activity related to teams.exe and WebView2 processes.
      • Look for events indicating:
        • DLL injection into Teams/WebView2.
        • Blocked or modified file, registry, or network operations originating from Teams/WebView2.
    3. Verify presence and integrity of known-problematic DLLs
      • On affected machines, verify whether any of the documented DLLs that might affect Teams and WebView2 are present and loaded.
      • Confirm ownership and integrity of these DLLs; if they belong to Forcepoint or other security tools, adjust policies to prevent their injection into Teams/WebView2.
    4. Engage vendor support with Microsoft data
      • After collecting WER crash dumps and Teams client health insights, share the findings with Forcepoint and SentinelOne support so they can adjust their endpoint policies or provide updated agents that are compatible with Teams/WebView2.

    If, after applying the above coexistence practices and targeted exclusions, Teams still crashes, the next step is to open a support case with Microsoft Support, providing:

    • WER crash reports for teams.exe and WebView2 processes.
    • A list of injected DLLs in those processes at crash time.
    • Forcepoint and SentinelOne policy details specific to Teams/WebView2.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.