Windows Start Menu Locked Up, unable to restart machine.

Hi All,

I installed Windows 1703 and replicated all previous steps I took with 1709.  

It installed fine, and after the reboot no issues. 

The issue has something to do with 1709.

That's not a legit answer.

FYI we have a partner ticket open with escalation and I will post the details here for sure.

Wait how long has this been a known issue? I thought we found a bug not something that has been known for a long time. That is very concerning.

In our test lab (about 20 machines) every IX the machine is basically toast. With that said I did a new Dell yesterday with only EPA and it did not blow the machine up but it ran poorly. For example it took about 45 seconds to open task manager. We ad no choice but to deploy it without protection other than Windows Defender because of time constraints.

I ran into this mid october.  I downloaded the latest ISO from MS under SPLA and used that install. I fully deployed the machine, and installed SOPHOS, great. I then was about to ship to client when I forgot to install some custom app they use.  When I went to install it, Start Button wasn't working.  I spent a good 4-5 hours working on the assumption that Windows was faulty. (I couldn't understand how a fresh install could go so wrong).  In this time, I reinstalled the machine following the exact steps, same issue. So I knew it wasn't a bad install etc.

After giving up, I Re-Installed again and noticed that it only happened when SOPHOS was installed and rebooted.

I then downloaded the prior version of Windows, installed SOPHOS and no issue.  I then updated to 1709 and it was stable and fine.

My laptop, which I had to remove SOPHOS from was installed over a year ago, so the version of Windows 10 has no issues with SOPHOS, but just 2 days ago, I had the exact issue, start button dead unless I spam right click to make it come to life a bit, Windows Apps gone, everything running in slow motion.

I am now DEEPLY concern I am going to be getting support calls about this, and i have no recourse but to remove SOPHOS. EMBARRESSING!!!!!!!!!!!!!

Yes we are in the same boat. We are new partners and luckily have only deployed about 8 sites. Still enough to be bad although right now the only thing saving us is this users mostly have not been forced to update to the latest Windows OS. With that said we have already been absolutely roasted by the companies having the issue. Several folks were down all day before we could figure out what was going on. All happening on new machines but was it caused by removal of old product (Intune) etc.

We then started deploying on fully updated machines in the lab and that did not go well.

Oddly I can confirm that I just took a machine that was totally whacked, logged in as administrator (had not been used at all), shut down, cold boot, logged in as whacked user and it seems fine now. WTH

I can say that some of the machines we had issues with did not show the problems right away so it remains to be seen if this holds up.

If this was reported that long ago and not looked in to deeply I am a bit shocked.

I've logged an urgent case here in the UK, I've been doing various tests for the support here. The L2 support seem to be aware or have heard of this issue. Does anyone know if this issue has already been escalated  and if so any numbers so we can attach? My support case is: #7862295

Regards

Kevin

We are facing the same issue with different fresh installs of Windows 10 and re-installs of EPA.

Machine performance goes down and Start Menu freezes. 

Hi Michael,

Yep totally agree this is what we are experiencing as well. This morning I have a newly built system with pretty much nothing else installed other than Sophos and it freezes in the same way, Start menus, Edge and Settings.

I have a case open here with support they are investigating  my procmon outputs and SDU logs.

Regards

kevin

Any Updates?

Everyone I was in contact with seems to have gone dark.

I was able to try an older computer this weekend. I installed Sophos then the 1709 update and it seemed to work although there was an revision update to the client and it was installed without IX

No, I still have the same issue. I think I have worked it out. 

It is the same issue SOPHOS originally had, Windows Defender.

Even though  SOPHOS disable certain things, Defender is still running, more specifically, Exploitation Protection by Windows Defender.

I went through and disabled these AND THEN i went to GPO and disabled it there. 

After reboot, my start button worked.  Unsure if co-incidence or not, or if it actually fixed, did this last night.

No, I still have the same issue. I think I have worked it out. 

It is the same issue SOPHOS originally had, Windows Defender.

Even though  SOPHOS disable certain things, Defender is still running, more specifically, Exploitation Protection by Windows Defender.

I went through and disabled these AND THEN i went to GPO and disabled it there. 

After reboot, my start button worked.  Unsure if co-incidence or not, or if it actually fixed, did this last night.

Okay thanks for the info...

Windows Defender I don't think is the issue we have had issues with and without.

You must be special we had this opened for weeks and cant even get an update.

I can confirm in each instance we log out and back in to a new profile it seems to work. We are trying a beta release but we did not get clear indication if that is a shot in the dark or an actual fix. We have not received any feedback about what exactly or superficially causing the issue, at this point we are assuming its a guess.

I have little faith in SOPHOS support. I just don't have the time to invest helping them, I am by myself with over 200 seats, I'm just trying to get myself out of trouble

I am curious, did you try the Defender thing?

If you go to Defender Security Settings

App & Browser Control, Exploit.  Turn it all off.

Then, in gpedit.msc

Comp Conf -> Admin -> Win Comp -> Windows Def Anti V

Turn off Win Def Anti V

I am really keen to see if this fixes it, 2nd machine that had an issue, that I did this, and it seems OK. 

Maybe I am special, and everything is just a co-incidence lol

I did do this but after the fact. Perhaps this needs to be done on the machine and then the Sophos install?

I did it will the local GP because I only have the test lab no domain for this currently.

What I can say with certainty any other product like ccleaner, malwarebytes, acronis 2018 etc. causes major panic so I started with Defender.

With that said it clearly states on Sophos related sites that it will work in conjunction with Defender and is made to do so.

Ok, fair enough, I'm on machine 3 with success.  Interestingly, on the 3rd, i had to ENABLE it, turn off Exploit and then disable it via GPO.

It definitely feels like a Windows Driver / Filter issue, so it is beyond direct control, you have to tinker with stuff on the surface to get it to change / remove filters at the bottom near the Kernel, though, I could be 100% wrong.  As said, 3rd machine fixed, at least I have something to play with to get it to to work for the client's that complain.

One more thing to add I did discover on two machines the system interrupt was 100% the CPU for whats its worth.

Machine No. 5 fixed this way.

My client's machines are slowly failing, 1 by 1...

So you have Sophos running with IX, Then what does enable "it" mean? Enable Defender then disable? I am just trying to write out some steps to reproduce.

Yeah we have a big problem too. We had already deleted the Windows Intune account which is what we are coming from. We are now rolling out machines without protection in fear they will lock up. Intune is a massive drag to go back to and remove, it takes hours some time because the removal process does not work that well and is not typically done on the machine.

Yes, IX is installed.  When you install IX, it disables Defender, but it looks like it doesn't do it fully.

When you click start, and type Defender, it will tell you to turn Defender On. 

So, I click that, I get taken to another screen, under Apps I think you will find exploit, turn it all off, and then gpedit.msc defender off the machine.

Touch wood, we are at 3 days on some computers without failure. Still holding my breath this is the problem, but looks promising.

It might be months before SOPHOS support fix this, I would not rely on them.

okay thanks for the information.

We will confirm in lab and report back.