Filestream RsFx Driver fails to load after installing SQL Server 2016 with CU2 on Windows Server 2016 with SecureBoot ON
Starting Windows 10 version 1607 (Redstone 1) and Windows Server 2016, there is a new enforcement for kernel drivers, requiring that all kernel drivers must be signed by Windows Hardware Developer Center Dashboard portal (Dev Portal) as documented by Windows hardware certification blog. It means that Windows will not load the kernel drivers that were not signed by Windows Hardware Developer Center starting Windows 10 version 1607 (Redstone 1) and Windows Server 2016.
The SQL16 RTM version of the Filestream RsFx driver is signed by Windows Hardware Developer Center Center Dashboard portal which allows installation of SQL 2016 RTM to succeed on Windows Server 2016 and Windows 10, but the latest servicing release of SQL 2016 viz SQL 2016 RTM CU2 of RsFx driver is signed by the certificate not issued by sysdev portal which leads to the Filestream RsFx driver blocked and failing to load during installation of SQL 2016 + CU2 when the following conditions are met:
- Fresh installation of Windows Server 2016/ Windows 10 (build 1607 or higher)
- Secure Boot is On
- SQL 2016 RTM + CU2 is installed
Note: Hyper-V Gen2-type VMs has SecureBoot enabled by default hence the users are more likely to hit this issue when installing SQL 2016 + CU2 on Windows Server 2016/Windows 10 on Gen2 Hyper-V VM. However, the issue can occur on physical servers as well if SecureBoot is turned ON.
The following table summarizes the end result when trying to install SQL 2016 on Windows Server 2016 or Windows 10 (version 1607 and above) with SecureBoot turned ON,
Depending on the feature selection during installation in SQL 2016 + CU2 setup on Windows Server 2016 or Windows 10 (version 1607 and above), you can see following error or warning message
- If the Filestream feature is enabled as part of installation , it will cause Database Engine component of SQL Server setup to fail with a dialog box as shown in Figure 1 below.
- If the Filestream feature is not checked or selected as part of installation (this is the default setting for setup), it will raise a Warning message pop-up dialog at the end of installation as shown in Figure 2 below. This is because even though the Filestream feature is not selected as part of installation, RsFx driver is installed as part of installation to support enabling Filestream post-installation using SQL Configuration Manager. In this case, Filestream feature will fail to enable when tried post-installation using SQL Configuration Manager.
Figure 1: SQL 2016 + CU2 Setup error when Filestream is installed as part of setup installation
Figure 2: SQL 2016 + CU2 Setup error when Filestream is not installed as part of setup installation.
TheSQL Product team is aware of the issue and is working on getting RsFx driver signed by Windows Hardware Developer Center Dashboard portal (Dev Portal) in the future release of SQL Server. In the interim, we have following recommendation for the users
- If Filestream/Filetable feature is not in use for your environment, this issue doesn’t impact your environment except for pop-up at the end of the installation which may be ignored in this scenario.
- If Filestream/Filetable feature is in use for your environment and if you plan to install SQL 2016 RTM + CU2 on Windows Server 2016, you may wish to temporarily disable SecureBoot to workaround the issue until the upcoming servicing release containing the code signed RsFx driver is out.
- If Filestream/Filetable feature is in use for your environment and if you plan to install SQL 2016 on Windows Server 2016 and cannot disable SecureBoot, we recommend installing SQL Server 2016 SP1 which contains the fix for the issue.
The fix for the issue is included in SQL Server 2016 SP1. We highly recommend customers to apply SQL Server 2016 SP1, to avoid the issue.
Parikshit Savjani
Senior Program Manager (@talktosavjani)
Comments
- Anonymous
December 02, 2016
Thanks for addressing the issue, I'm glad that the team has acknowledged the issue.Please make sure to test this against Device Guard requirements!