Windows 10 v1903 Logoff issues

Hello,

We are testing Windows 10 V1903.

When we logoff from the Windows 10 Desktop it goes to a Black screen and the computer is unresponsive, can't even ping the desktop.   A hard reboot is necessary to get back in.   At first I thought it was video card related but same thing happened on 4 different machines.    When we uninstall the Sophos Endpoint, windows acts as it should and logging off is possible.

I have seen the memory issues with regards to V1903 but not this.   Has this been reported and is it an issues with anyone else?

I have created a ticket.

Thanks again,

Mark

  • I've not seen or heard of this issue.  Do you see the issue if you turn off realtime scanning for example?

    Which components do you have installed?  SAV and IntercepX?

    Typically with these issues the approach is either elimination of components/through policy changes or stopping/unloading services/drivers.  This can narrow it down to perhaps offer a workaround/acceptable exclusion, etc..

    Or

    Setup the computer to create a full mem dump on keyboard combination as per:
    https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard

    From the dump it is then possible to analyze what the Sophos components are doing and if they are the cause of the hang.  It's easier for Support/Dev with symbols but it's possible to get a rough idea which components/files/processes are involved.


    Regards,
    Jak

  • Hey Mark

    We also have this issue. Testing a new image - windows 10 1903

    As soon as Sophos is installed we get black screen at sign out. Hard boot is the only way out.

    However, it also looks like it happens when Citrix VDA is installed on the same machine.

    Are you using Citrix also? Just curious.

    Thanks

    Marni

  • In reply to scrivies scrivies:

    We are also having this issue with logging off/switching user with Sophos and Windows 10 1903.

    We're not using Citrix though.

    As soon as we remove Sophos you can log off without any problems.

    Anyone heard anymore about it?

  • In reply to jak:

    experiencing exact similar issues. will raise ticket with Sophos

  • In reply to prakash racharla:

    I'm sure they will want a complete or probably better (to reduce file size) an Active memory dump initiated with the keyboard during the hang as per my previous comment.


    Regards,

    Jak

  • In reply to jak:

    Has anyone tried the following:

    Global exclusions:
    https://cloud.sophos.com/manage/config/settings/scanning-exclusions

    Add Exclusion of type "Exploit Mitigation (Windows)"

    Click "Application not listed?"

    Add in
    $system32\fontdrvhost.exe

    and choose to not protect this application as per below:


    Does this help?

    It would be worth checking that the version of HMPA installed has a build number (last 4 figures) is 1045 or later for this to work.  This can be seen in Sophos Endpoint Self Help and in Central under the "Installed component versions" expandable link per device.

    Regards,
    Jak

  • Yes.

    Just got it fix via support.

    Add "Exploit Mitigation" c:\windows\system32\fontdrvhost.exe  exception

    install hotfix Current Hotfix Version: 3.7.13.1337   https://community.sophos.com/kb/en-us/133140

    the issue is fixed with these 2 steps.   Support said they are working to fix it so no exclusion is needed.

    Good luck!

    Marni