Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5938: Windows boots to black screen after installing Centrify Agent for Windows

Centrify DirectControl ,  

12 May,17 at 06:13 PM

Applies to:

Centrify Agent for Windows version 3.3.0 and earlier, on Windows Server 2012 R2 and Windows 8.1, with LSA protected mode enabled


Problem:

After the initial reboot of system after installing Centrify Agent for Windows (dzwin) on Windows 8.1 or Windows server 2012 R2, the server will only boot up to a black screen.


Cause:

This issue exists on Windows 8.1 or Windows Server 2012 R2 where Local Security Authority (LSA) protection has been enabled.
LSA protection is only available on Windows 8.1 and Windows Server 2012 R2.
In LSA protection mode, Microsoft requires all LSA plugins to be signed with EV certificate. 
Centrify currently is not signing with the EV certificate, therefore, the Centrify LSA plugins are not being loaded by Microsoft Windows. 
Thus causing the black screen on boot.


Workaround:

To get the machine to boot correctly again, the registry can be edited to turn off the LSA protected mode.

Steps to disable LSA protection:
1. Press F8 at boot screen.
2. Select "Repair Your Computer"
3. Select "Troubleshoot"
4. Select "Command Prompt"
5. Pick Administrator as the user and provide the Administrator password
6. When cmd prompt comes up, type 'Regedit' to start regedit, and then select the HKLM (HKEY_LOCAL_MACHINE) node.
7. Go to "File" and choose "Load Hive"
   Note: If the wrong node is chosen, the "Load Hive" menu will be disabled.
8. The default location will be in X: or similar.  Choose the file c:\windows\system32\config\SYSTEM. This is local system registry hive.
9. Name the hive "C_HKLM" or something similar.
10. The newly loaded hive can be found under HKEY_LOCAL_MACHINE
11. Go to the registry key that is located at: HKEY_LOCAL_MACHINE\C_HKLM\ControlSet001\Control\Lsa
 
    a) Delete the following value from the registry key: "RunAsPPL"=dword:00000001

12. Restart the system
 

Resolution:

Upgrade to the 2016.1 (3.3.1) and later versions of the Centrify Agent for Windows.

After upgrading to the 2016.1 or later Centrify Agent for Windows, LSA protection can be re-enabled.


Note:

Microsoft article on how to enable, disable, and verify if LSA protected mode is enabled.
https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx (link provided as courtesy)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.