TeraByte Unlimited

I restored a Win10 image the other day, and Microsoft Defender would not run; it kept crashing. That was not the case when the image was created.

My best guess is that Microsoft Defender was mid-update when the image was being created, and that it employs a typical loq-IQ, low-effort, why-bother, middle-finger-in-your-face inability to recover from even the most basic issues (such as being able to simply revert to a previous known-good state).

I had used VSS and don't see why PHYLock would have made any difference in this case.

Is it possible to mitigate scenarios like this, and still image from an online Windows environment? Blocking specific (or all) network traffic prior to starting an imaging process may help, but this feels like an incomplete solution to me.

For whatever it's worth, I use PHYLock and Windows Defender and have never had this happen.

I've restored many times but had never had it happen before that occasion as well. The image passed a byte-for-byte validation (and a pre-restore validation), so that seems to me an impenetrable barrier to condemning VSS in particular.

Something about the state that Microsoft Defender was in at the exact point-in-time the image began was not conducive to its ongoing operation, and I need to understand how to prevent such a scenario in the future.

maybe the file system was dirty or needs chkdsk /f or sfc /scannow. VSS and Defender are both MS and both work together so you'd have to know what is actually wrong in order to report something to MS if you found a problem. Maybe it's something else causing it considering if you search windows defender crashing there are pages of results.

I always do a "chkdsk /f" immediately after restoring, while still in WinRE, and know for sure that I did so that time as well. (For whatever reason, chkdsk always finds (and fixes) issues.)

I also did a "sfc /scannow", and it didn't help.

I'd never even dream of reporting an issue to Microsoft. C'mon now.

Guess I will block WU and Defender updates before imaging going forward, and try to ensure that none are in-progress.

Thanks for the replies.

I just had this issue happen again: I validated/restored an image (not the same one as the issue happened with before), the restore completed successfully, I ran chkdsk /f (as mentioned, it made corrections as it always does), and said "No further action is required". A second chkdsk run was clean.

But Microsoft Defender would not run. The service kept trying to start, only to immediately crash, indefinitely.

Perhaps you have a backup of one of the known issues that they have since fixed or it's in the process of updating after restoring an old image. With VSS you shouldn't really see any file system issue unless they were preexisting or aren't really issues. byte-for-byte validation on backup will ensure the backup is clean from that point.

I've done two restores today, and the one in question is the one for which I had forgotten to block Defender updates before creating. The one I created where I remembered to block updates has no issues with Defender. I get that correlation is not causation, but hopefully this means something.

There wouldn't be a bug in IFW, you get back the way it was when backed up. When using VSS, you get the MS view, when using PHYLock you get the physical view. But you should update windows defender to ensure you have the fixed version and create a new image. You should also look at other things since nobody else can reproduce.