Windows Start Menu Locked Up, unable to restart machine.

Hi All,

I installed Windows 1703 and replicated all previous steps I took with 1709.  

It installed fine, and after the reboot no issues. 

The issue has something to do with 1709.

That's not a legit answer.

Yes we are in the same boat. We are new partners and luckily have only deployed about 8 sites. Still enough to be bad although right now the only thing saving us is this users mostly have not been forced to update to the latest Windows OS. With that said we have already been absolutely roasted by the companies having the issue. Several folks were down all day before we could figure out what was going on. All happening on new machines but was it caused by removal of old product (Intune) etc.

We then started deploying on fully updated machines in the lab and that did not go well.

Oddly I can confirm that I just took a machine that was totally whacked, logged in as administrator (had not been used at all), shut down, cold boot, logged in as whacked user and it seems fine now. WTH

I can say that some of the machines we had issues with did not show the problems right away so it remains to be seen if this holds up.

If this was reported that long ago and not looked in to deeply I am a bit shocked.

I've logged an urgent case here in the UK, I've been doing various tests for the support here. The L2 support seem to be aware or have heard of this issue. Does anyone know if this issue has already been escalated  and if so any numbers so we can attach? My support case is: #7862295

Regards

Kevin

We are facing the same issue with different fresh installs of Windows 10 and re-installs of EPA.

Machine performance goes down and Start Menu freezes. 

Hi Michael,

Yep totally agree this is what we are experiencing as well. This morning I have a newly built system with pretty much nothing else installed other than Sophos and it freezes in the same way, Start menus, Edge and Settings.

I have a case open here with support they are investigating  my procmon outputs and SDU logs.

Regards

kevin

Any Updates?

Everyone I was in contact with seems to have gone dark.

I was able to try an older computer this weekend. I installed Sophos then the 1709 update and it seemed to work although there was an revision update to the client and it was installed without IX

No, I still have the same issue. I think I have worked it out. 

It is the same issue SOPHOS originally had, Windows Defender.

Even though  SOPHOS disable certain things, Defender is still running, more specifically, Exploitation Protection by Windows Defender.

I went through and disabled these AND THEN i went to GPO and disabled it there. 

After reboot, my start button worked.  Unsure if co-incidence or not, or if it actually fixed, did this last night.

Okay thanks for the info...

Windows Defender I don't think is the issue we have had issues with and without.

You must be special we had this opened for weeks and cant even get an update.

I can confirm in each instance we log out and back in to a new profile it seems to work. We are trying a beta release but we did not get clear indication if that is a shot in the dark or an actual fix. We have not received any feedback about what exactly or superficially causing the issue, at this point we are assuming its a guess.

I have little faith in SOPHOS support. I just don't have the time to invest helping them, I am by myself with over 200 seats, I'm just trying to get myself out of trouble

I am curious, did you try the Defender thing?

If you go to Defender Security Settings

App & Browser Control, Exploit.  Turn it all off.

Then, in gpedit.msc

Comp Conf -> Admin -> Win Comp -> Windows Def Anti V

Turn off Win Def Anti V

I am really keen to see if this fixes it, 2nd machine that had an issue, that I did this, and it seems OK. 

Maybe I am special, and everything is just a co-incidence lol

I have little faith in SOPHOS support. I just don't have the time to invest helping them, I am by myself with over 200 seats, I'm just trying to get myself out of trouble

I am curious, did you try the Defender thing?

If you go to Defender Security Settings

App & Browser Control, Exploit.  Turn it all off.

Then, in gpedit.msc

Comp Conf -> Admin -> Win Comp -> Windows Def Anti V

Turn off Win Def Anti V

I am really keen to see if this fixes it, 2nd machine that had an issue, that I did this, and it seems OK. 

Maybe I am special, and everything is just a co-incidence lol

I did do this but after the fact. Perhaps this needs to be done on the machine and then the Sophos install?

I did it will the local GP because I only have the test lab no domain for this currently.

What I can say with certainty any other product like ccleaner, malwarebytes, acronis 2018 etc. causes major panic so I started with Defender.

With that said it clearly states on Sophos related sites that it will work in conjunction with Defender and is made to do so.

Ok, fair enough, I'm on machine 3 with success.  Interestingly, on the 3rd, i had to ENABLE it, turn off Exploit and then disable it via GPO.

It definitely feels like a Windows Driver / Filter issue, so it is beyond direct control, you have to tinker with stuff on the surface to get it to change / remove filters at the bottom near the Kernel, though, I could be 100% wrong.  As said, 3rd machine fixed, at least I have something to play with to get it to to work for the client's that complain.

One more thing to add I did discover on two machines the system interrupt was 100% the CPU for whats its worth.

Hi Burt,

We just had another system show the problem today and tried to disable Windows Defender as documented above, however it still shows the problem after a reboot.. Hopefully we did everything correctly i.e. In Windows Defender -> "App & Brower control" we switched off all the selections as well as in the "Exploit Protection settings" i.e. "Off by default".

In the gpedit.msc we have the Windows Defender Anti-Virus "enabled" which says it is switched off and AV does not run.

One other thing, Sophos was already installed before we disabled Windows Defender would this make a difference?

Did we miss something? Any help would be appreciated.

Many thanks

Kevin

Hi,

Very strange, I'll use my unchanged main computer to show you what I did.  My main computer whilst using ALL 3 sophos products (AV, Int Encryp) does not show any signs of the issue.

Just last night I fixed another one, however i noticed that there was some taskhost.exe or something like that trying to install a driver, after doing the steps, i had to reboot a few times.  Like it was stuck installing a driver or something.

I'm not sure if I am doing these and by accident doing something else that is fixing my issue, as I don't understand the problem 100% I can't say for sure if what I am doing is working.  I have gotten all my client's with this issue off my back, so it must be close on the mark?

https://imgur.com/a/B8N8V

Hi Burt,

I tried again today i.e. removing Sophos and making sure Windows Defender was disabled, I reinstalled Sophos but the problem still shows up after a reboot. This is very strange...

Sophos Escalation team just sent me an email of the problem details which seems to not match the issue we are experiencing.. I'll talk to them about this. It is clear to us any new system installation or rebuild will definitely produce the problem every time. Existing users seem to be ok so far.. This is still a big issue for us with new users and or system rebuilds which we have to do. As you said Intercept X is a necessity and running solely with just Endpoint is not what we bought into when moving to Sophos.

Regards

Kevin

Hi All,

It seems Sophos may have a solution or workaround. It appears a new option added in 1709. i.e. switching off the ‘Use my sign–in info to automatically finish setting up my device after an update or restart’  fixes certainly one of my systems so far. It is in "Settings -> Accounts ->Sign options and under Privacy.

http://www.thewindowsclub.com/automatically-launch-previously-open-apps-reboot-windows-10

Let me know if this helps your systems?

Regard's

Kevin

They are all over the place. Yesterday I was told devs said Visual Studio was causing the issue. We have not been able to test that yet.

We did test a new machine fully patched prior to Sophos install. As long as GPO Defender was done prior to Sophos install it was fine.

Kevin how did you test this?

You had a machine that was acting up with Sophos ADV and IX installed, changed this and restarted and then in was fine?

Yes I have a new system which was always failing on a reboot, so switched off this setting as per Sophos suggestion and it works so far.. I'll try it on other systems later. The Sophos description of the issue almost threw me, but just not totally accurate. Anyhow if this works then I guess it is a Windows problem and adding new switches.

Kevin