Black screen or repeated preboot authentication prompts seen after a Windows 7 update on UEFI systems

Technical Articles ID: KB92286
Last Modified: 2024-01-06 08:59:26 Etc/GMT

Environment

Drive Encryption (DE) 7.2.9.5 (GA) and 7.2.9.7 (Hotfix 1) and earlier versions.

Microsoft Windows 10 (Unified Extensible Firmware Interface (UEFI) systems)
Microsoft Windows 7 (UEFI systems)

Problem

You observe the following during application of a Windows update on Windows 7 UEFI systems:

If there's a system boot followed by a quick reboot, DE might be interrupted while updating the UEFI bootcode.
This action can result in an incorrect Windows bootloader in the EFI system partition, rendering the system unbootable.

The following error is recorded in the logs when the Service Control Manager is unavailable:

INFO EfiBootcode Upgrading EFI bootcode to 7.2.9.5
EfiBootcode Installing EFI bootcode
EfiBootcode Finalizing bootcode install
INFO EfiBootcode Error upgrading EFI bootcode: [0xEE000007] Error opening the service control manager
ERROR PcSystem Error starting: [0xEE000007] Error opening the service control manager
ERROR MfeEpePcEncryptionProviderPlugin ..\..\..\Src\EpeGenInitHandler.cpp: EPE_gen_init_handler::handle: 279: [0xEE000007] Error opening the service control manager

Cause

As of DE 7.2.9.5, an issue is seen where the UEFI bootcode is upgraded on every service start. The upgrade occurs even if the bootcode doesn't require an upgrade. The issue is documented in the Known Issues article under reference MDE-5028. The solution was delivered in 7.2.9 Hotfix 2 and later. The defect by itself doesn't cause the issue pertaining to this article, but increases the chance of it occurring.

When a Windows Update is applied that requires multiple reboots, a race condition might occur between the DE service that performs a bootcode upgrade and the system shutting down. In this scenario, because the Service Control Manager is unavailable, a DE bootcode upgrade might be rendered unbootable.

On an affected system that's booting, preboot authentication (PBA) appears. After authentication, instead of loading the original Microsoft bootloader, MDE tries to load another copy of itself. But, on systems with SecureBoot enabled, a black screen occurs. On systems with SecureBoot disabled, you might see that PBA appears to ask for authentication again.

Solution 1

On systems that can't boot:

IMPORTANT: Don't deactivate DE because deactivation doesn't resolve the issue. The reason is because a deactivation copies the incorrect version of msboot.efi back to bootmgfw.efi. Then, the systems are unbootable.

Boot into WinPE.
Authorize and authenticate to DETech. This action makes the operating system volume available in Explorer.
In the Explorer session, mount the ESP:

mountvol z: /s
Copy an original version of the Microsoft bootcode to the DE backup location as follows:

copy C:\Windows\Boot\EFI\bootmgfw.efi Z:\EFI\McAfee\Epe\msboot.efi
Unmount the ESP:

mountvol z: /d
Restart the system.

NOTE: In Step 4 above, the example uses the drive letter 'C:'. But, the operating system volume for the system might not necessarily have a drive letter 'C:' assigned to it while you're in the WinPE environment. Make sure that you validate which drive letter is associated with the operating system volume while in the WinPE environment. If needed, substitute the drive letter accordingly. Also, while it's not probable for drive letter Z: to be in use, the steps above use drive letter 'Z:' for the EFI system partition. If drive 'Z:' is in use in your WinPE environment, substitute a different drive letter that's not already in use for Z: in all applicable steps.

The system now boots correctly after successfully authenticating at preboot.

Solution 2

On systems that have not yet rebooted:
Contact Technical Support for assistance.

To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.

If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Black screen or repeated preboot authentication prompts seen after a Windows 7 update on UEFI systems

Environment

Problem

Cause

Solution 1

Solution 2

Affected Products

Languages:

Title

Title

Knowledge Center

Black screen or repeated preboot authentication prompts seen after a Windows 7 update on UEFI systems

Environment

Problem

Cause

Solution 1

Solution 2

Affected Products

Languages:

Choose your region

Title

Title