BSOD Driver Unloaded without Cancelling Pending Operations (KB5051987)

[karu]

Hi

Created a well working Image.
Issue: When installing update KB5051987 it throws a BSOD at boot.

Message: Stop code: Driver Unloaded without canceling pending operations What failed: win32kbase.sys


See attached Preset


Any Idea what is wrong here?

Thanks so much
Wish you all a great weekend!

 

[garlin]

To understand your problem, the NTLite image works but will BSOD after you install KB5051987 (Feb 2025)?

Beginning with February's update, MS is rolling out policy files for the Vulnerable Driver BlockList (SIPolicy.p7b & driversipolicy.p7b). Check if you have older device drivers, or 3rd-party apps which install kernel drivers to do system tweaking. These may be blocked now.

 

[karu]

THX for the answer.
Yes thats the problem.
We integrate all kinds of kernel drivers...
Any Idea on how I can find out which driver is the problem?

 

[garlin]

There's a handful of technical guides which walk you through the process of converting your Windows driver policy into audit mode. Blocked drivers are allowed to load, but get flagged in the event logs. You would collect the events, and update your blocklist accordingly.

I would skip that for now, and try converting the current drivers policy file in XML before browsing it.

1. Download Matt Graeber's WDACTools PowerShell module. Look for the green "Code" button on GitHub, select "Download ZIP".
2. Extract the ZIP to any local folder.

3. Run PowerShell as Admin:

Import-Module \path\to\folder\WDACTools.psd1 -Scope Global
ConvertTo-WDACCodeIntegrityPolicy -BinaryFilePath C:\Windows\System32\CodeIntegrity\driversipolicy.p7b -XmlFilePath DriverSiPolicy.xml

4. Open the converted policy XML, and browse for any drivers you might have as matches.

The blocklist XML is composed of three parts:

- Blocked CA authority signing certs used by vulnerable drivers​

- Deny rules for blocked drivers, based on SHA1 and SHA256 hashes​

- Deny rules for blocked drivers, based on specific filenames​