Environment
Novell ZENworks 11 Configuration Management Installation -
Agent
ZCM 11.0 - Cumulative Agent Patch 1
ZENworks Endpoint Security Module version 11.0.0.442
Microsoft Windows XP Professional Windows XP Professional Support Pack 2
Microsoft Windows XP Professional Windows XP Professional Support Pack 3
HP notebook models like HP EliteBook 6930p or 2530p with HP Mobile Data Protection Sensor enabled
ZCM 11.0 - Cumulative Agent Patch 1
ZENworks Endpoint Security Module version 11.0.0.442
Microsoft Windows XP Professional Windows XP Professional Support Pack 2
Microsoft Windows XP Professional Windows XP Professional Support Pack 3
HP notebook models like HP EliteBook 6930p or 2530p with HP Mobile Data Protection Sensor enabled
Situation
Windows XP crashes with a bad_pool_header bluescreen
after installing ZCM agent.
ZCM agent install or removal removes HP Disk Filter driver configuration
ZCM agent install or removal removes HP Disk Filter driver configuration
Resolution
This is fixed in version 11.1 - see KB 7008746 "ZENworks Configuration Management 11.1 - update information and list of fixes" which can be found at https://www.novell.com/support
Workaround: if it is not possible to upgrade to ZCM 11.1 at this time, in the interim, Novell has made a Patch available for testing, in the form of a Field Test File (FTF): it can be obtained at https://download.novell.com/Download?buildid=p22rPbrZtlk~ as part of "ZCM 11.0 - Cumulative Agent Patch 2a". This Patch should only be applied if the symptoms above are being experienced, and are causing problems.
This Patch has had limited testing, and should not be used in a production system without first being checked in a test environment. Some Patches have specific requirements for deployment, it is very important to follow any instructions in the readme at the download site. Please report any problems encountered when using this Patch, by using the feedback link on this TID.
This fix avoids the issue when containing the CAP2a ZCM agent updates into a new pre-agent packages and doing a new install of the ZCM Agent.
The bluescreen is still likely to occur when updating an older ZCM 11.0 agent version to CAP2a. To avoid the bluescreen scenario in an ZCM agent update scenario, ensure that the following registry value exists before installing the ZCM agent:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}
LowerFilters (REG_MULTI_SZ)="hpdskflt"
It may be necessary to remove the HP software completely and re-add it after the ZCM agent is updated, or disable the ZCM agent self-defense since the ZCM agent self-defense can undo such a manual registry change before the ZCM agent update actually goes through.
For 11.3:
There have been some issues noted in 11.3.x code where if/when the system is restarting an invalid registry key is written out for the service entry for ZESDAC.
Bring up in registry:
HKLM\\System\\CurrentControlSet\\Services\ZESDAC
Confirm whether the "Start" DWORD is usually missing.
If this is the case, then the filter driver needs to be manually removed from the 4 devices stacks it's attached to.
There are 4 registry keys that need to be cleaned up in this case.
The one key affects the BSOD, but the other keys affect the functionality of the floppy disk drive, USB drives, and CDROM/DVD.
So for each of the registry keys below, open up the multistring regValue key and REMOVE "zesdac" from the list. This issue will be addressed in the 11.3.2.x releases of ZEN.
regKey = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E 967-E325-11CE-BFC1-08002BE10318}";//DISK DRIVE
regValue = "LowerFilters";
regKey = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E 980-E325-11CE-BFC1-08002BE10318}";//FLOPPY DRIVE
regValue = "UpperFilters";
regKey = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E 965-E325-11CE-BFC1-08002BE10318}";//CDROM
regValue = "LowerFilters";
regKey = "SYSTEM\\CurrentControlSet\\Control\\Class\\{36FC9 E60-C465-11CF-8056-444553540000}";//USB
regValue = "LowerFilters";
Workaround: if it is not possible to upgrade to ZCM 11.1 at this time, in the interim, Novell has made a Patch available for testing, in the form of a Field Test File (FTF): it can be obtained at https://download.novell.com/Download?buildid=p22rPbrZtlk~ as part of "ZCM 11.0 - Cumulative Agent Patch 2a". This Patch should only be applied if the symptoms above are being experienced, and are causing problems.
This Patch has had limited testing, and should not be used in a production system without first being checked in a test environment. Some Patches have specific requirements for deployment, it is very important to follow any instructions in the readme at the download site. Please report any problems encountered when using this Patch, by using the feedback link on this TID.
This fix avoids the issue when containing the CAP2a ZCM agent updates into a new pre-agent packages and doing a new install of the ZCM Agent.
The bluescreen is still likely to occur when updating an older ZCM 11.0 agent version to CAP2a. To avoid the bluescreen scenario in an ZCM agent update scenario, ensure that the following registry value exists before installing the ZCM agent:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}
LowerFilters (REG_MULTI_SZ)="hpdskflt"
It may be necessary to remove the HP software completely and re-add it after the ZCM agent is updated, or disable the ZCM agent self-defense since the ZCM agent self-defense can undo such a manual registry change before the ZCM agent update actually goes through.
Additional Information
This Windows crash issue appears if this HP disk filter driver is
installed but above hpsdkflt registry
value was missing before the last Windows startup. In such a case
the HP disk filter driver should get re-added automatically. It has
been observed that the LowerFilters key is then
getting corrupted, causing this bluescreen. Depending on the ZCM
agent EndPoint Security module version, it will keep removing any
other disk filter driver in this registry key after the ZCM agent is installed or will clean this registry key from any value on ZCM agent
removal.
If the LowerFilters value should only get extended with the zesdac value or only thezesdac value should get removed on agent uninstall to avoid this bluescreen issue. This has been fixed with Endpoint Security module version 11.0.0.448.
Please note that uninstalling the ZCM agent with the Endpoint Security module version 11.0.0.442 (as shipping with the ZCM 11 cumulative agent patch 1) or lower removes this LowerFilters value completely.
The original shipping version of the ZESM module version 11.0.0.427 does not allow any other disk filter driver to be listed in that registry key so with this version this bluescreen issue does not occur but the HP disk filter driver is not effective.
The ZCM agent contained hard disk filter driver is required to secure sensitive information on the hard disk.
The HP Mobile Data Protection Sensor is used by the HP 3D DriveGuard software to protect the hard disk from failures.
Please note that even if the ZCM Endpoint Security Management feature is not licensed or enabled at all, the Endpoint Security Management component is still installed with the ZCM agent since the agent can not function without it.
If the LowerFilters value should only get extended with the zesdac value or only thezesdac value should get removed on agent uninstall to avoid this bluescreen issue. This has been fixed with Endpoint Security module version 11.0.0.448.
Please note that uninstalling the ZCM agent with the Endpoint Security module version 11.0.0.442 (as shipping with the ZCM 11 cumulative agent patch 1) or lower removes this LowerFilters value completely.
The original shipping version of the ZESM module version 11.0.0.427 does not allow any other disk filter driver to be listed in that registry key so with this version this bluescreen issue does not occur but the HP disk filter driver is not effective.
The ZCM agent contained hard disk filter driver is required to secure sensitive information on the hard disk.
The HP Mobile Data Protection Sensor is used by the HP 3D DriveGuard software to protect the hard disk from failures.
Please note that even if the ZCM Endpoint Security Management feature is not licensed or enabled at all, the Endpoint Security Management component is still installed with the ZCM agent since the agent can not function without it.