Windows In-Place Upgrade may remove ZENworks Network Providers - Automated Repair
ISSUE: During Windows in-place Upgrades, the upgrade process will remove all 3rd party credential providers and mangers, perform the upgrade, and then restore those providers, MOST of the time. However, when one is managing 1,000s or 10,000s of devices, MOST of the time can still result in a large amount of time spending fixing the issues.
Microsoft details the issue with their upgrades here: Network provider settings are removed during an in-place upgrade to Windows 10
Unfortunately, the MS document vastly understates the areas in which the Windows registry may be corrupted by the upgrade process and the steps required to restore 3rd party credential providers to full functionality.
To mitigate the issues created by these failures of the Windows 10 in-place Upgrade process, I have created a ZCM bundle that will both automatically detect the issue as well as repair the issue. However, since "Cool Solutions" are not officially supported, it is important that prior to using this solution, one:
- Understands what the bundle does...
- Understands why the bundle does what it does...
- Sufficiently tests the bundle in one's environment prior to any attempt to widely deploy the bundle.
Understanding where the OS In-place Upgrade may Impact 3rd party Network Providers
- The ZENworks Network Providers potentially impacted:
- ZenCredManager (Used by the core agent to authenticate to the "User Source".)
- LCredMgr (Used by the core agent to authenticate to the "User Source".)
- PBACREDMAN (Used for password capture if FDE is enabled with PBA Support.)
- ZENworks Network Providers - Potential registry configuration loss under "Services"
- Potential Registry issues under HKLM\Software\Microsoft\Windows NT\CurrentVersion
- Potential Registry issues under HKLM\Software\Microsoft\Windows\CurrentVersion
- ...\CurrentVersion\Authentication\Credential Provider Filters
- ...\CurrentVersion\Authentication\Credential Providers
- Potential Registry issues under HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider
- Note: Restoration handled by VBS script, since the data here may be machine specific.
- Potential DLL Registration Issues.
- The upgrade process may result in DLL registration loss.
The bundle "ZCRED_LCRED_PBA_REGFIX_32_and_64_Bit" has seven Launch Actions which will be described below. Both the bundle as a whole as well as the individual actions have SYSTEM REQUIREMENTS configured so that it will only run when there are missing or incorrect settings that the bundle needs to address. Hence it will not have any impact upon any devices that do not need updating.
Action#1 - This restores fixed location registry values for LCredMgr. The settings are the same for both 32-bit and 64-bit machines, since the install path for CASA does not vary.
Action#2 - LCREDMGR.dll registration calls are made.
Action#3 - Restores the fixed registry values for ZENCredManager for 32-bit systems.
Action#4 - Restores fixed registry values for ZENCredManager for 64-bit systems.
Action#5 - Restores Fixed PBACREDMAN settings for systems that have ZCM FDE configured.
Action#6 - This is the most complex of all of the actions. This is a script action that updates two registry values:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\HwOrder and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
Each value contains a comma separated list of installed credential providers and managers. The script will detect if the correspond provider DLLs are installed on the system and add them to the list if they are missing from the list. The ZCM Agent installer will add ZenCredManager and LCredMgr as the first two listed managers in that order and the script will do the same. The ZCM Agent installer will also place PBACREDMAN at the end which the script also does. If these entries already exist, even if listed in a different order, the script will take no action.
Note: Windows manages the following key based upon the above values so the script does not:
Action#7 - Automatic Reboot Sign-On (ARSO) is a feature enabled in Windows 10 1709 or later, which causes all Credential Providers (Both Microsoft and 3rd Party) to be bypassed upon reboot. Upon reboot it will restart the previously logged on user's Windows session and lock the screen without calling any of the Network Providers. At this point, entering credentials simply "Unlocks" the running session versus actually logging into Windows. This feature needs to be disabled to ensure a true Window Logon Screen is presented to users to Logon to both Microsoft and Non-Microsoft Credential providers upon system restarts. The final action in the script makes sure that ARSO is disabled.
(Note: The Bundle assumes that Window is installed to C:\Windows. If Windows is installed to a different Drive or Folder, most actions will be skipped and may not resolve the registry corruption. However, there should not be a further negative impact upon the system due to Action Level system requirements preventing most actions from running.
IMPORTANT: "Tips and Tricks" are neither officially tested nor supported by Micro Focus. Always test in your own environments.