Environment
Privileged Account Manager 3.6
Privileged Account Manager 3.5
Privileged Account Manager 3.5
Situation
Windows Server with secure boot enabled fails to load rexec module (nvlaudry.sys)
Rexec package status is offline and fails to start or load.
Session audits are not being captured.
Agent's unifid.log reports the following:
Error, init_audit line: 1842 rv=720006:The handle is invalid.
Error, NPUM driver is not initialized. Try restarting NPUM service or system restart.
Debug, Init rexec initAudit (110ms)
Debug, Init rexec (125ms)
Error, Failed to load module rexec: Unknown error
Error, NPUM driver is not initialized. Try restarting NPUM service or system restart.
Debug, Init rexec initAudit (110ms)
Debug, Init rexec (125ms)
Error, Failed to load module rexec: Unknown error
Windows event logs report the following:
Error "Windows cannot verify the digital signature for this file."
Resolution
A public fix has been made available in the release of PAM 3.7.0 or greater:
See "Privileged Sessions Are Not Audited When Secure Boot is Enabled" from the Release Notes.
Alternatively, as a workaround, please consider Disabling Secure Boot.
Cause
nvlaudrv.sys PAM driver needs to be signed by Microsoft in Secure Boot mode.