We're experiencing a significant Non-Paged Pool memory leak on our Windows Server 2019 domain controllers after installing the following updates: KB5041578 Servicing Stack Update 10.0.17763.6174 Problem details: The process SenseNdr.exe, part of Microsoft Defender for Endpoint, is causing a continuous increase in Non-Paged Pool memory usage. This is affecting only Windows 2019 servers. The memory leak is severe enough to impact server performance. What we've tried: Attempted to disable real-time protection via registry and group policy (unsuccessful). Considered reinstalling Windows Defender (not possible due to management restrictions). Investigated group policies and central management settings in Microsoft 365 Defender. Questions: Has anyone else encountered this specific memory leak with SenseNdr.exe after these updates? Are there any known workarounds or fixes for this issue that don't involve completely disabling Microsoft Defender for Endpoint? If disabling components is necessary, what's the safest way to do this on domain controllers without compromising security? Has Microsoft acknowledged this as a bug in the recent updates? Environment: OS: Windows Server 2019 HyperVisor: Vmware Latest Update: KB5043050 Servicing Stack: 10.0.17763.6174 Centrally managed via Microsoft 365 Defender/Intune Update 1: The problem was initially resolved by removing Windows Defender ATP (offboarding). Subsequently, we reinstalled Windows Defender and reactivated Windows Defender ATP (onboarding). Unfortunately, this process did not permanently fix the issue, and we are still experiencing the memory leak. Update 2: The latest Windows update KB5044277 did not resolve this issue. Uninstalling Windows Defender ATP fixes the problem. However, this is not the solution. There are now multiple reports from other companies experiencing this issue. SenseNdr.exe is slowly eating the memory - Microsoft Community Hub Any insights or solutions would be greatly appreciated.

Hello, Thank you for posting in Microsoft Community forum. Based on the description, I understand your question is related to KB5041578. I found three known issues about KB5041578, but it seems none of them mentioned Windows Defender SenseNdr.exe causing Non-Paged Pool memory leak: August 13, 2024—KB5041578 (OS Build 17763.6189) - Microsoft Support 1. After installing the Windows update released on or after July 9, 2024, Windows Servers might affect Remote Desktop Connectivity across an organization. This issue might occur if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. Resulting from this, remote desktop connections might be interrupted. This issue might occur intermittently, such as repeating every 30 minutes. At this interval, logon sessions are lost and users will need to reconnect to the server. IT administrators can track this as a termination of the TSGateway service which becomes unresponsive with exception code 0xc0000005 . This issue is addressed in KB5043050 . After installing this security update, you might observe that some Windows Server 2019 devices experience system slowdowns, unresponsiveness, and high CPU usage particularly with Cryptographic Services. A limited number of organizations reported that the issue was observed when the device was running an Antivirus software which performs scans against the ‘%systemroot%\system32\catroot2’ folder for Windows updates, due to an error with catalog enumeration. Our investigations so far indicate that this issue is limited to some specific scenarios. If your IT environment is affected, you might observe that your devices: Show increased CPU utilization Experience increased disk latency/ disk utilization Indicate degraded OS or application performance Show that the CryptSVC service fails to start May boot into a black screen Experience slow to boot Freeze or hang This issue is addressed in KB5043050 . After installing this security update, you might face issues with booting Linux if you have enabled the dual-boot setup for Windows and Linux in your device. Resulting from this issue, your device might fail to boot Linux and show the error message “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.” The August 2024 Windows security update applies a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old, vulnerable boot managers. This SBAT update will not be applied to devices where dual booting is detected. On some devices, the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied. Please refer to the workaround mentioned in Windows release health site for this issue. Have a nice day. Best Regards, Molly

We have the same issue. It only appears to happen on servers where we have the defender for identity sensor enabled. We've a case open with MS for this

MS is aware of this bug since 08.15. Fix will arrive to workstations on the 4th week of September, and to the servers 2 weeks later with the monthly windowsupdates.

Was this fixed in the recent update? I still see memory leak linked to sensendr.exe

Windows Defender SenseNdr.exe causing Non-Paged Pool memory leak after Windows Server update KB5041578

Anonymous

We're experiencing a significant Non-Paged Pool memory leak on our Windows Server 2019 domain controllers after installing the following updates:

KB5041578
Servicing Stack Update 10.0.17763.6174

Problem details:

The process SenseNdr.exe, part of Microsoft Defender for Endpoint, is causing a continuous increase in Non-Paged Pool memory usage.
This is affecting only Windows 2019 servers.
The memory leak is severe enough to impact server performance.

What we've tried:

Attempted to disable real-time protection via registry and group policy (unsuccessful).
Considered reinstalling Windows Defender (not possible due to management restrictions).
Investigated group policies and central management settings in Microsoft 365 Defender.

Questions:

Has anyone else encountered this specific memory leak with SenseNdr.exe after these updates?
Are there any known workarounds or fixes for this issue that don't involve completely disabling Microsoft Defender for Endpoint?
If disabling components is necessary, what's the safest way to do this on domain controllers without compromising security?
Has Microsoft acknowledged this as a bug in the recent updates?

Environment:

OS: Windows Server 2019
HyperVisor: Vmware
Latest Update: KB5043050
Servicing Stack: 10.0.17763.6174
Centrally managed via Microsoft 365 Defender/Intune

Update 1:

The problem was initially resolved by removing Windows Defender ATP (offboarding). Subsequently, we reinstalled Windows Defender and reactivated Windows Defender ATP (onboarding). Unfortunately, this process did not permanently fix the issue, and we are still experiencing the memory leak.

Update 2:
The latest Windows update KB5044277 did not resolve this issue. Uninstalling Windows Defender ATP fixes the problem. However, this is not the solution. There are now multiple reports from other companies experiencing this issue.

SenseNdr.exe is slowly eating the memory - Microsoft Community Hub

Any insights or solutions would be greatly appreciated.

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

42 answers

Anonymous

2024-09-16T05:53:38+00:00
Hello,

Thank you for posting in Microsoft Community forum.

Based on the description, I understand your question is related to KB5041578.

I found three known issues about KB5041578, but it seems none of them mentioned Windows Defender SenseNdr.exe causing Non-Paged Pool memory leak:

August 13, 2024—KB5041578 (OS Build 17763.6189) - Microsoft Support

1. After installing the Windows update released on or after July 9, 2024, Windows Servers might affect Remote Desktop Connectivity across an organization. This issue might occur if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. Resulting from this, remote desktop connections might be interrupted.

This issue might occur intermittently, such as repeating every 30 minutes. At this interval, logon sessions are lost and users will need to reconnect to the server. IT administrators can track this as a termination of the TSGateway service which becomes unresponsive with exception code 0xc0000005.

This issue is addressed in KB5043050.

After installing this security update, you might observe that some Windows Server 2019 devices experience system slowdowns, unresponsiveness, and high CPU usage particularly with Cryptographic Services.

A limited number of organizations reported that the issue was observed when the device was running an Antivirus software which performs scans against the ‘%systemroot%\system32\catroot2’ folder for Windows updates, due to an error with catalog enumeration.

Our investigations so far indicate that this issue is limited to some specific scenarios. If your IT environment is affected, you might observe that your devices:

Show increased CPU utilization

Experience increased disk latency/ disk utilization

Indicate degraded OS or application performance

Show that the CryptSVC service fails to start

May boot into a black screen

Experience slow to boot

Freeze or hang

This issue is addressed in KB5043050.

After installing this security update, you might face issues with booting Linux if you have enabled the dual-boot setup for Windows and Linux in your device. Resulting from this issue, your device might fail to boot Linux and show the error message “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”

The August 2024 Windows security update applies a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old, vulnerable boot managers. This SBAT update will not be applied to devices where dual booting is detected. On some devices, the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied.

Please refer to the workaround mentioned in Windows release health site for this issue.

Have a nice day.

Best Regards,

Molly
Please sign in to rate this answer.

0 comments No comments
Anonymous

2024-09-16T11:08:36+00:00

We have the same issue. It only appears to happen on servers where we have the defender for identity sensor enabled. We've a case open with MS for this
Please sign in to rate this answer.

6 people found this answer helpful.

0 comments No comments
Anonymous

2024-09-20T11:19:53+00:00

Any update from MS yet?
Please sign in to rate this answer.

0 comments No comments
Anonymous

2024-09-24T14:59:57+00:00

MS is aware of this bug since 08.15. Fix will arrive to workstations on the 4th week of September, and to the servers 2 weeks later with the monthly windowsupdates.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Anonymous

2024-10-14T18:59:56+00:00

Was this fixed in the recent update? I still see memory leak linked to sensendr.exe
Please sign in to rate this answer.

0 comments No comments

Share via

Windows Defender SenseNdr.exe causing Non-Paged Pool memory leak after Windows Server update KB5041578

42 answers