NVIDIA vGPU Guest Driver Installation Causes BSOD on Domain-Joined Windows VM

Problem

A Windows virtual machine deployed with an NVIDIA vGPU profile crashes with a Blue Screen of Death (BSOD) during or immediately after NVIDIA guest driver installation. The stop codes observed are PAGE_FAULT_IN_NONPAGED_AREA (0x50) or DRIVER_IRQL_NOT_LESS_OR_EQUAL (0xD1), with the failing module identified as nvlddmkm.sys. The VM is domain-joined at the time of driver installation. The same driver version installs successfully on a VM that is not domain-joined.

Environment

Private Cloud Director Virtualization- All versions
Self-Hosted Private Cloud Director Virtualization- All versions
Component: Compute Service, vGPU (NVIDIA SR-IOV vGPU profile)
Guest OS: Windows 11 (any build), Windows Server 2022
NVIDIA vGPU host driver: 580.x series (SR-IOV with GSP mode)

Cause

Windows domain Group Policies applied during or after domain join interfere with the installation of the NVIDIA kernel-mode graphics driver (nvlddmkm.sys). The policies most likely to cause the conflict include:

Driver signing enforcement or update restriction policies — prevent unsigned or newly introduced kernel-mode drivers from loading
Windows Defender Application Control (WDAC) or Code Integrity policies — block kernel driver execution based on policy rules inherited from the domain
Virtualization-Based Security (VBS) or Credential Guard — restrict kernel module loading in ways that conflict with the NVIDIA driver initialisation sequence
Device installation restriction policies — block installation of specific device classes or vendor IDs applied by the domain

The BSOD occurs because Group Policy enforces security restrictions on kernel-mode driver loading before the NVIDIA driver has completed installation. The driver is partially initialised when the policy takes effect, resulting in a memory access violation (0x50) or an illegal interrupt request level operation (0xD1) in nvlddmkm.sys.

The platform, hypervisor, and vGPU configuration are not the cause of this issue.

Diagnostics

Step 1 — Confirm the BSOD module is nvlddmkm.sys

After the BSOD, Windows generates a minidump in C:\Windows\Minidump\. Retrieve the stop code from the Windows Event Log inside the VM.

Inside VM

Get-WinEvent -LogName System -MaxEvents 50 | Where-Object {$_.Id -eq 41 -or $_.Id -eq 1001} | Format-List TimeCreated, Message

Sample Output

TimeCreated : [TIMESTAMP]
Message     : The system has rebooted without cleanly shutting down first.
              BugcheckCode : 209
              BugcheckParameter1 : 0xd1
              ...
              StopCode     : DRIVER_IRQL_NOT_LESS_OR_EQUAL

Stop codes BugcheckCode=209 (0xD1) or BugcheckCode=80 (0x50) with module nvlddmkm.sys confirm the NVIDIA driver as the failing component.

Step 2 — Confirm the VM is domain-joined

Inside VM

(Get-WmiObject Win32_ComputerSystem).PartOfDomain
(Get-WmiObject Win32_ComputerSystem).Domain

Sample Output

True
[DOMAIN_NAME]

If the output is True, domain Group Policies are active on the VM. This is the trigger condition for the driver conflict.

Step 3 — Check for active Code Integrity or WDAC policies

Inside VM

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

Sample Output

SecurityServicesRunning       : {1, 2}
CodeIntegrityPolicyEnforcementStatus : 2

SecurityServicesRunning values of 1 (Credential Guard) or 2 (HVCI/Hypervisor-protected Code Integrity) indicate active security features that may conflict with NVIDIA driver installation. CodeIntegrityPolicyEnforcementStatus = 2 means enforced mode is active.

Step 4 — Verify NVIDIA driver version and OS build compatibility

Confirm the driver version being installed and the Windows build version. Not all NVIDIA guest driver versions are certified for all Windows builds.

Inside VM

winver

Sample Output

Windows 11, Version 24H2, OS Build 26100.XXXX

NVIDIA guest driver 580.88 has been verified to install successfully on Windows 11 24H2. Installing on Windows 11 25H2 (OS Build 26200.x) has been observed to cause BSOD on domain-joined VMs even with the correct driver version. If the VM is running Windows 11 25H2, follow Workaround Method 2 (redeploy with Windows 11 24H2).

Workaround

Method 1 — Install NVIDIA Driver Before Domain Join

The most reliable workaround is to install the NVIDIA guest driver while the VM is in WORKGROUP state (not domain-joined), then proceed with domain join after the driver is stable.

Step 1 — Deploy the VM without domain join

When provisioning the VM through automation or manually, skip the domain join step. Confirm the VM is in WORKGROUP state before proceeding.

Inside VM

(Get-WmiObject Win32_ComputerSystem).PartOfDomain

Sample Output

False

Step 2 — Install the NVIDIA guest driver

Install the NVIDIA vGPU guest driver while the VM is not domain-joined. The recommended driver for NVIDIA L40S vGPU with Windows 11 24H2 is 580.88.

Allow the installer to complete and reboot the VM when prompted.

Step 3 — Verify the NVIDIA driver is loaded and functional

After reboot, confirm the driver is installed and the vGPU is recognised.

Inside VM

Get-WmiObject Win32_VideoController | Select-Object Name, DriverVersion, Status

Sample Output

Name          : NVIDIA L40S
DriverVersion : [DRIVER_VERSION]
Status        : OK

Step 4 — Proceed with domain join

After confirming the NVIDIA driver is stable, join the VM to the domain. The driver will remain functional after domain join since it was installed before Group Policy took effect.

Inside VM

Add-Computer -DomainName <DOMAIN_NAME> -Credential (Get-Credential) -Restart

Sample Output

(VM restarts and joins the domain)

Step 5 — Verify GPU and driver are intact after domain join

After the domain join reboot, confirm the NVIDIA driver and vGPU remain operational.

Inside VM

Get-WmiObject Win32_VideoController | Select-Object Name, DriverVersion, Status

Sample Output

Name          : NVIDIA L40S
DriverVersion : [DRIVER_VERSION]
Status        : OK

Method 2 — Use Windows 11 24H2 Instead of 25H2

If the VM is running Windows 11 25H2 and the BSOD occurs even when following Method 1, redeploy the VM using a Windows 11 24H2 base image. NVIDIA guest driver 580.88 has been verified stable on Windows 11 24H2 with domain-joined GPU VMs.

Redeploy the VM from a Windows 11 24H2 image, follow Method 1 (install driver before domain join), and confirm stability before deploying the full workload.

Method 3 — Audit and Adjust Domain Group Policies (Advanced)

If switching OS versions or reordering the driver install is not feasible, work with the Active Directory / Group Policy administrator to identify and temporarily relax the policies that conflict with NVIDIA driver installation. Review the following policy categories on the domain controller or local GPO:

Computer Configuration → Windows Settings → Security Settings → Application Control Policies — check for WDAC or AppLocker policies blocking driver execution
Computer Configuration → Administrative Templates → System → Device Installation → Device Installation Restrictions — check for vendor or class ID blocks
Computer Configuration → Administrative Templates → System → Device Guard — check for Hypervisor-Protected Code Integrity (HVCI) enforcement

Re-enable the policies after the NVIDIA driver installation completes successfully.

Resolution

The confirmed working combination for NVIDIA L40S vGPU deployments is:

Guest OS: Windows 11 24H2
NVIDIA guest driver: 580.88
Installation order: NVIDIA driver installed before domain join

Bake this order into the VM provisioning automation to prevent recurrence across future GPU VM deployments.

Additional Information

Related articles:

Windows GPU VM Stops Automatically After Deployment Due to Guest ACPI Standby Policy — covers the separate issue where a GPU VM stops without user action due to Windows ACPI S3 standby entering the PMSUSPENDED state.

PreviousGPU VM Resize and Cold Migration Fail with ReshapeFailed NextWindows GPU VM Stops Automatically After Deployment Due to Guest ACPI Standby Policy

Last updated 8 days ago