We began using the Sophos Advanced Endpoint / Intercept X / Sophos Drive Encryption package for ourselves and one of our customers as a trial for the past few months.
Over the last 3 business days, I've had 3 separate Windows 10 Lenovo laptops of my customer enter a "boot loop" where:
- The machine boots up
- We see the Lenovo splash screen
- The blue Bitlocker screen comes up
- The user enters their BitLocker PIN successfully (this seems to work - if we enter the wrong PIN, we get the expected error message. If we enter the right PIN or the recovery key, we exit this blue screen like normal)
- It seems the Windows booting process fails and goes back to the Lenovo splash screen. Repeat forever
Lenovo hardware diagnostics of the hard drive come up clean, but we're unable to boot to that local install of Windows in any way, even through various safe modes and recovery modes. The operating system just seems too damaged to boot. We were able to browse the files eventually by using the method in this article here for hooking up the hard drive as a secondary drive elsewhere and unlocking it with the recovery key: http://woshub.com/data-recovery-on-a-damaged-hard-disk-encrypted-with-bitlocker/
We also know that in at least 1 of these cases, the machine went through a "hard shutdown" (the user's OS crashed and they had to hold the power button down until the machine powered off) immediately before this issue. It's possible that the issue that caused the hard shutdown was also the cause of this boot loop issue, or it's possible the hard shutdown itself was what damaged the critical bitlocker section of the drive, or maybe it's something else entirely.
Has anyone else experienced this issue and have any suggestions for getting to the root cause? Out of ~50 machines for this customer, having 3 of them fail in this exact same way in 3 business days is alarming. Because the last things the users see before the boot loop occur is the Bitlocker screen, they immediately assume BitLocker / Sophos Encryption is to blame, and may as a knee-jerk reaction have us remove it entirely from their network. I'd like to not have that happen, as this would slow down or halt the rollout of Sophos Endpoint across our customer base.
Some other notes:
- These machines are all Windows 10. We generally patch ~30 days behind Microsoft's release dates, and there's nothing unique about the patch status of these 3 machines (they patched in the last 2 weeks, but not immediately before the symptoms, and many other machines patched around the same time)
- They are using an Office suite licensed through Office 365 (which gets its own automatic updates). At least 2 of the 3 machines were in Outlook at the time of the crash, and Outlook crashing was the reason they had to hard shutdown, but these folks are in Outlook for 80% of their day so it's hard to tell if that's a smoking gun.
This thread was automatically locked due to age.
