After installing Client for Open Enterprise Server, Windows July 2016 and later releases may show errors and will not logon successfully

  • 7017720
  • 14-Jun-2016
  • 31-Aug-2017

Environment

Client for Open Enterprise Server 2 SP4 (IR3)
Windows 10 Anniversary Update (Build 14393, July 2016, Redstone 1, RS1)
Windows 10 Enterprise 2016 LTSB (Build 14393, July 2016, Redstone 1, RS1, Long Term Servicing Branch)
UEFI Secure Boot enabled (Unified Extensible Firmware Interface)

Situation

Shortly after installation of the Client for Open Enterprise Server 2 SP4 (IR3) has successfully completed, Windows may present the following error:

Program Compatibility Assistant

A digitally signed driver is required
 
Client for OES IOCTL Interface
Micro Focus
 
Windows blocked the installation of a digitally unsigned driver. Uninstall the program or device that uses the driver and check the publisher’s website for a digitally signed version of the driver.
 
The error will also be presented for “XTier COM Services Driver”. 

If you dismiss these errors and reboot Windows, upon restart when you attempt to login to eDirectory using "Network Logon" mode from the Windows welcome screen, the login may show the "busy" animation indefinitely and never logon successfully.

If you instead choose "Computer Only Logon" mode from the Windows welcome screen, the login may still show a delay but can ultimately still successfully logon.  But eDirectory-related servers and services will not be accessible, and attempting to access eDirectory services may result in an error such as:

A required network service has not started. Please check your error log for details.

This behavior can happen on installations of Windows 10 July 2016 (build 14393) and later, where the UEFI Secure Boot feature is enabled.  A related behavior will happen on Windows 10 July 2015 (build 10240), but for a different reason explained in TID 7017838 (https://support.microfocus.com/kb/doc.php?id=7017838).

Resolution

This was resolved in Client for Open Enterprise Server (IR4) and later.  Client for Open Enterprise Server releases are now Microsoft-signed, instead of only Micro Focus-signed.

Cause

In the Windows 10 July 2016 release (also known as "the Anniversary Update", or "1607", "Redstone 1", "RS1", "Build 14393"), on machines where the UEFI Secure Boot mode is enabled, Microsoft will only allow Microsoft-signed kernel-mode drivers to be loaded.  There are, however, multiple exceptions to this behavior as described by Microsoft (https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/), including:

- Machines upgrading from a previous release of Windows will still permit non-Microsoft-signed drivers.

- Machines which do not have the UEFI Secure Boot feature enabled will still permit non-Microsoft-signed drivers.

- Drivers signed with a non-Microsoft certificate issued prior to July 29, 2015 will still be permitted to load.

Because of these exceptions, the experience from a Client for Open Enterprise Server perspective & previous Novell Client for Windows perspective can be described as:

- Windows 10 July 2016 machines without UEFI Secure Boot enabled are not affected, and can successfully install and run any Client for Open Enterprise Server or Novell Client release.

- Windows 10 July 2016 machines with UEFI Secure Boot enabled that were upgraded to the July 2016 release from a previous release of Windows 10 are not affected, and can successfully install and run any Client for Open Enterprise Server or Novell Client release.

- On new clean installations of Windows 10 July 2016 on machines with UEFI Secure Boot enabled, Novell Client 2 SP4 (IR2) and earlier will still install and run successfully, because they were signed with a certificate issued prior to July 29, 2015.  Note that only Novell Client 2 SP4 (IR2) or Novell Client 2 SP4 (IR1) are the first releases actually supported and recommended for use on Windows 10.

- On new clean installations of Windows 10 July 2016 on machines with UEFI Secure Boot enabled, Client for Open Enterprise Server 2 SP4 (IR3) will not be allowed to load by Windows 10 July 2016, because the drivers are not Microsoft-signed.  Furthermore the drivers are signed with a Micro Focus certificate issued in August 2015, which is after the July 29, 2015 cut-off date.

As such, the only solution going forward for new non-upgrade Windows 10 July 2016 and later installations where UEFI Secure Boot is enabled will be to have Microsoft-signed drivers for future Client for Open Enterprise Server SP4 (IR4) and later releases.

Additional Information

Previous to  Client for Open Enterprise Server (IR4), customers intending to install Client for Open Enterprise Server on Windows 10 with UEFI Secure Boot enabled needed to be aware of the intentional change by Microsoft in the July 2016 and later releases, and implement one of the following workarounds:

- Do not enable UEFI Secure Boot unless required.

- Ensure Windows 10 machines are upgraded to the Windows 10 July 2016 release, instead of performing clean installations of the Windows 10 July 2016 release.

- As a temporary measure, use the Novell Client 2 SP4 (IR2) release on any Windows 10 July 2016 machines which cannot employ either of the previous two workarounds, or do not already inherently already qualify as being in one of the workaround configurations.

See also TID 7017838.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.