Hey Checkyourlogs Fans,
Suppose your organization uses third-party security or endpoint software such as BeyondTrust, CrowdStrike Falcon, or others. In that case, you may have noticed Microsoft Teams crashing, freezing, or acting unreliably (especially around the WebView component). These problems often stem from interactions between Teams, Edge WebView2, and your security tools (antivirus, DLL hooks, data-loss prevention / DLP agents, etc.).
Microsoft has published guidance on how to avoid these problems by adding specific Teams processes (and WebView2) to the exclusion list of antivirus or the allowlist of DLP/security software. Below is an explanation of what’s going on, what to do, and how to make it work in practice.
What’s happening under the hood
- The new Microsoft Teams client depends on Edge WebView2 for parts of its UI / rendering. Interference with WebView2 (DLL injection, hook libraries, scanning, etc.) can cause instability.
- Classic Teams had fewer moving parts and often fewer conflicts, but even that can be disrupted if specific security agents hook into process lifecycles or inject DLLs.
- Tools like BeyondTrust, CrowdStrike, or other endpoint protection/monitoring / DLP solutions might have DLL hooks or background agents that interact with all running processes—sometimes those hooks conflict. Microsoft has identified specific associated DLLs (for example, PGHook.dll for BeyondTrust, Umppc*.dll for CrowdStrike) that are known to be culprits.
Microsoft’s recommendations: Exclusions / Allow-listing
Microsoft’s official guidance is to include / approve certain Teams- and WebView2-related executables (and the components that update them) in your antivirus / DLP configuration. This can significantly improve stability by reducing the interference.
Here are the key processes / files Microsoft says to whitelist / exclude:
| Client | Processes / Components to Exclude / Whitelist |
|---|---|
| New Teams | msedgewebview2.exe, ms-teams.exe, ms-teamsupdate.exe, msteams_autostarter.exe |
| Classic Teams | e.g. teams.exe, update.exe, squirrel.exe, Teams Meeting Add-in; located under %LocalAppData%\Microsoft\Teams\… |
Additionally:
- Ensure the Teams installation directory (especially for the new Teams client installed via MSIX) is accounted for. Because the folder name includes version info and changes over time (folder names like MSTeams_…_8wekyb3d8bbwe), you may need wildcard or regularly review your exclusions.
- For classic Teams, the path is usually under the user’s profile (AppData\Local\Microsoft\Teams).
Specific known offenders: BeyondTrust, CrowdStrike, etc.
Some of the problematic agents / DLLs Microsoft lists:
- BeyondTrust: PGHook.dll is named. If that DLL is loaded/injected into Teams or WebView2, it may trigger instability.
- CrowdStrike Falcon: DLLs matching Umppc*.dll are in the list. If they hook into Teams or WebView2, crashes / hangs / WebView failures may happen.
- More Details here: Microsoft Learn
Steps to fix/mitigate (for sysadmins)
Here’s a suggested checklist you can follow to reduce or eliminate Teams crashes caused by these interactions:
- Identify crashes vs stability symptoms
- Gather logs: Does Teams crash immediately? When performing particular functions (e.g. opening chat/channel / meeting)?
- Check whether WebView portions (embedded browser content, tabs inside Teams) are involved.
- Inventory the security/endpoint tools in place
- Note whether you have BeyondTrust, CrowdStrike, any DLP software, antivirus with strong process / DLL scanning/injection, etc.
- Check versions of those tools as some later versions may have fixed issues or allow simpler exclusions.
- Add exclusions / allow-listing
- For the Teams-specific executables (new + classic) as per Microsoft’s list.
- Also for WebView2’s process (msedgewebview2.exe) because WebView2 is critical to Teams UIs.
- Ensure that the path / version changes are accounted for (use wildcards, environment variables, or automation if possible).
- Exclude or allow the problematic DLLs (hooks) if possible
- If Beyond Trust’s PGHook.dll or CrowdStrike’s Umppc*.dll are known to be loaded during Teams crashes, try to configure those agents not to hook into Teams processes / WebView2 (if vendor allows).
- If vendor-side configuration isn’t possible, ensure Teams processes are excluded from complete scanning or hooking.
- Test
- After configuring, deploy to a pilot group first. Check whether the Team’s UI loads correctly, meetings work, and the WebView doesn’t crash or freeze.
- Monitor for updates: Teams, WebView2, or your AV/DLP vendor may push updates that break paths or change process names.
- Maintain documentation & change management
- Keep notes of what exclusions / allow-list rules you’ve set up (for auditing, for future admins).
- When updating Teams or WebView2, re-verify that executables/directories still match your rules; sometimes versioned folders change.
Things to watch out for
- Security trade-offs: Excluding things from antivirus / DLP always has risk. Ensure you’re balancing security vs availability. Limit exclusions to the minimal necessary.
- Dynamic folder names: As noted, the new Teams installed via MSIX uses versioned/dynamic folder names. If you hard-code a path that changes, your exclusion may stop working.
- Vendor documentation: For tools like CrowdStrike or BeyondTrust, check vendor support pages to see how to configure hooks/scanning behaviour around Teams / WebView2. Sometimes they offer special profiles or policy settings.
- Keeping current: Microsoft may update its guidance; keep an eye on the Microsoft Learn article. Also, security tools may update their behaviour.
Example: What might be happening in a real scenario
Let’s say you have Teams crashing whenever someone opens a tab in Teams (for example, a web tab or embedded content). On investigation, you find that CrowdStrike’s sensor is injecting a DLL named UmppcHook.dll into every process, including WebView2. That DLL is on Microsoft’s known list of DLLs that can interfere. The fix would be to configure CrowdStrike policy to not inject that hook into processes named msedgewebview2.exe, ms-teams.exe, etc., or to exclude those processes from completefa scanning or hooking. Then deploy that policy, test, and monitor for improvement.
Conclusion
If your Teams client is unstable (especially WebView2 parts) and you’re using tools like BeyondTrust, CrowdStrike, or other endpoint / DLP / AV agents, there’s a strong chance those tools are conflicting via DLL hooks or scanning. Microsoft’s guidance to exclude certain Teams/WebView2 executables (and sometimes specific DLLs) from such tools is a proven method to reduce crashes / improve stability.
Thanks,
Dave Kawula – MVP
