Windows Server 2019: Network Threat Protection causes RDS system lockup requiring restart

We have been seeing a similar issues on RDS 2016 Virtual Machines

https://www.reddit.com/r/sysadmin/comments/wxehc0/rds_2016_session_hosts_on_different_esxi_hosts/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=share_button

Only fix is to hard power off VM. 

We notice NTP Service stuck in starting state after boot. 

Ben. 

The NTP Service being stuck in a starting state is interesting, I wonder if this is related?

I've seen this with a bug in a Redhat network driver and another NIC driver affecting the registering of WFP filters. So the SophosNTPService.exe process gets stuck in a WFP call. 

It is only registering with WFP to enable the WFP filters for web protection/Control.  With those features disabled it shouldn't perform this task.

Are you able to test if you get the issue with "Web Control" AND "Scan downloads in progress" AND "Block access to malicious websites", I.e. in the Threat Protection policy applied to the server disabled these 2:

Then in the web control policy applied to the server, if enabled disable this:

Check at the client that SophosNetFilter.exe has stopped.  This is evidence of the features being disabled. All 3 need to be disabled for SophosNetFilter.exe to stop running.

Then restart the Sophos Network Threat Protection service.  This will ensure all WFP callout registrations are removed.

Does the problem occur from this state?  If so, it suggest to me an issue with this feature/WFP.

The NTP Service being stuck in a starting state is interesting, I wonder if this is related?

I've seen this with a bug in a Redhat network driver and another NIC driver affecting the registering of WFP filters. So the SophosNTPService.exe process gets stuck in a WFP call. 

It is only registering with WFP to enable the WFP filters for web protection/Control.  With those features disabled it shouldn't perform this task.

Are you able to test if you get the issue with "Web Control" AND "Scan downloads in progress" AND "Block access to malicious websites", I.e. in the Threat Protection policy applied to the server disabled these 2:

Then in the web control policy applied to the server, if enabled disable this:

Check at the client that SophosNetFilter.exe has stopped.  This is evidence of the features being disabled. All 3 need to be disabled for SophosNetFilter.exe to stop running.

Then restart the Sophos Network Threat Protection service.  This will ensure all WFP callout registrations are removed.

Does the problem occur from this state?  If so, it suggest to me an issue with this feature/WFP.

any updates on this case?

Let me know if the following response in a neighbouring thread helps. 
- RE: Windows Server 2019: Network Setup Service constantly restarting. disabling Network Threat Protection fixes it 

If you don't have a more recent version of Core Agent at this time, it is also possible to open a support case to request that your site be moved to an earlier release group so you receive the update sooner.