Webroot Antivirus causing login issues on remote desktop/terminal servers.
The Winlogon processes will lock-up due to webroot and you will be able to see this as event 4005.
The impact will stop users from being able to login to the server, however existing sessions will operate as per normal.
Webroot are currently diagnosing the issue but do not have a permanent solution at this stage, the work around is to uninstall and install an older version of webroot.
Instructions below:
Download old version of Webroot:
download.webroot.com/8.0.8.53/wsasme.exe
Create a global policy that has the auto-update feature turned off (Basic Configuration > Automatically download and apply updates), apply this to the impacted server.
Uninstall Webroot from the server from the Webroot console by using the Agent Commands menu and selecting Agent > Uninstall
This may take a few minutes to complete. Retry if agent hasn’t uninstalled after 5 minutes.
Install version 8 of Webroot with the following switches:
Wsasme.exe /key=XXXXXXXXXXXXXXXXXXXX /silent /noupd -clone
Grab the key from the clients Webroot portal
Once installed and the initial scan is complete, confirm version 8.0.8.53 is installed by hovering your mouse over the Webroot icon in the system tray.
Schedule a restart of the server to complete the process (after hours).