Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I believe I may have discovered an issue relating to Windows 10 and the Sophos endpoint agent. I upgraded to Windows 10 yesterday and checked device manager to find that my DVD-RW was not functioning properly. If I uninstall the device, rescan for hardware changes and let it automatically reinstall, it functions properly again. Upon rebooting, the DVD-RW stops functioning again until I repeat the aforementioned steps. I have noticed that after rebooting, a second driver is added for the DVD-RW from Sophos: sdcfilter.sys. Presumably this is needed for the endpoint agent to perform device control functions such as blocking writable drivers which we do utilize in our environment. I'm not positive this is causing the issue, but that evidence suggests that. I am going to report this to Sophos support in hopes that it might be a bug that could be corrected in the upcoming 10.6 release for all those early adopters but I thought I'd post it on the forums as well in case anyone had a similar experience. I've attached two screenshots to support my post.
Hi, If you get it back into the working state as you have done previously by essentially removing the sdcfilter (lower filter). Then find the inf file for the sdcfilter driver in the AutoUpdate cache, e.g.: C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\ClassFilterDrivers\wnet_amd64\ right click on the sdcfilter.inf file and choose install. Does the lower filter appear as listed and the device functional? I wonder if a fresh install vs an in-place upgrade causes this? Regards, Jak
I've the same problem on Lenovo L540/T540p notebooks. After installing UTM Endpoint Protection everythink works fine. After some reboots (I can't specify that) the DVD drive is not visible in the windows explorer.
The device manager shows:
Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. To fix this problem you should uninstall and then reinstall the hardware device. (Code 19)
But there are no lower or upper filters in the registry. Is there a solution for that?
Sophos Endpoint Protection 11.0.8 UTM
In reply to MikeJantzer:
For computers where the CD-ROM device isn't functioning, I wonder if the sdcfilter service is not present on the computer but referenced as a lowerfilter on the device which leads to the issue?
If anyone has this problem, I would be interested to know:
1. If the computer was an upgrade to Windows 10 or a fresh install?
2. If an upgrade, was the computer upgraded from Win 7, Win 8, Win 8.1?
3. If the computer has the service sdcfilter? As a test to see if the service is present, in a command prompt run:
sc query sdcfilter
Note: The driver file sdcfilter.sys, should reside under: \windows\system32\drivers\
If you look in Device Manager at the CDROM device, in the broken state it will have a warning triangle. Looking at the properties of the CD-ROM and then clicking on the "Driver" tab and clicking the "Driver Details" tab should show at least the path to cdrom.sys and sdcfilter.sys when device control is installed. If the file is referenced, but the service isn't present this will lead to the issue. Right clicking on the appropriate .inf file for sdcfilter and choosing install would add the service back so that might explain why the suggested fix works.
Thanks for the feedback.
In reply to jak:
Same problem here. Just clean installed latest downloadable Windows 10 Insider Preview build (14373 if I recall correctly) (after which I did have at some point the DVD-drive working without a problem). Installed Endpoint software from Sophos UTM and after that upgraded to latest Windows 10 Insider Preview build (14393). At this point I discovered the DVD-drive missing and with exclamation mark in device manager. I'm not sure if just before this latest upgrade the DVD-drive was present as this was not something I was then looking for.
Turned out the sdcfilter service was not present. So I installed the sdcfilter.inf from the location mentioned above and restarted. Then my DVD-drive was functional again. So this is a confirmation that I needed to manually (re)install sdcfilter service.
In reply to apijnappels:
Interesting... I've been looking through some logs related to the upgrade. Do you see something similar in the file: \windows\inf\setupapi.upgrade.log:
It seems that the sdcfilter service was not migrated by Windows. The same goes for the GearAspiWDM service which I believe belongs to or is part of the iTunes install.
I don't recall being warned following the upgrade that the "migration" wasn't 100% successful. That said, given the exit code seems to be 0x00000000, that would suggest success?
Some here after Update from 1511 to 1607 today.
The fix "reinstall sdcfilter" is working for me too.
In reply to UThomas:
What a mess, Sophos.
Same problem after Update Windows 10 Pro from 1607 to 1703
I am running Sophos Cloud at a corporate size business.
We recently released the WSUS 1703 Feature Update out to our Windows 10 1607 PCs and they all failed the migration of the DVD drive and any locally attached printers.
After much moaning at Microsoft for yet another failure in their Updates process, I was advised the Sophos had caused this issue before and I was directed here.After reading this post, I uninstalled Sophos Cloud Endpoint Agent from one of the failed PCs and restarted. The DVD drive appeared immediately.
So, Sophos Endpoint Agent is stopping the migration of specific drivers during the update process from 1607 -> 1703.In a business our size, uninstalling Sophos from every PC before enabling a WSUS update is not a very practical solution.Can anyone advise of a more sensible or practical solution that I should be looking at?I see this happened with the 1511 -> 1607 feature update as well, (although I didn't experience that upgrade path,) so what was the most practical solution after that?
If anyone could offer a practical solution to fixing 300+ PCs, I would be grateful.
In reply to Barry Smith:
Look at Jak's solution.
C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\ClassFilterDrivers\wnet_amd64\right click on the sdcfilter.inf file and choose install.
I just discovered that we had this issue after migrating a lab of Dell AiOs to 1607.
The upgrade was done months ago but the issue just became apparent yesterday when someone attempted to use the optical drive.
We've also found in our testing that the upgrade to 1703 causes the issue to recur.
Thanks eveyeron for sharing findings/solutions etc.
In reply to Ryan Manly:
I have discovered a workaround, which worked for our very desperate users.
Uninstall Sophos > restart PC > let the upgrade complete and the DVD drive should appear and be usable > reinstall Sophos > restart.
Not really a practical solution, but it might solve the problem for a small site.
I currently have a support call open with Sophos, who are talking with Microsoft, to find a better solution for a large site, such as mine.
If I get a solution, I will make sure I update this post.
I'm going to try just reinstalling the driver via SCCM. I'll let you know how that goes.