Knowledge Base

Search Knowledge Base

KB #240119: Encrypted Databases Not Accessible After Reboot but are Accessible After Manually Restarting SQL Server

Type:

Workaround

Summary:

Databases may be inaccessible, listed as Suspect or Recovery Pending after reboot. However, if you then manually start/restart SQL Server, encrypted database(s) is accessible. This is due to Windows starting the SQL Server Service before the Encryptionizer Key Management Service (KMS) has fully started. This particularly affects Windows 10 and Server 2016 due to Windows Defender slowing down the KMS startup time.

Additional Information:

Several workarounds are shown below:

Set the SQL Server Service to Delayed Auto-Start

This will instruct Windows to delay starting the Service(s) for approximately one minute after reboot. During this time, KMS will be able to fully start before the SQL Server Service starts. You can use the Services Tab or Command Line. You can apply this by the Services Tab or by Command Line.

To apply solution by the Services Tab

Start the Services tab (or Run Services.msc). Select the SQL Server Service. Change the Service Start type from Automatic to Automatic (Delayed Start).

Note that you must also set Delayed Start for any non-disabled services that depend on the SQL Server Service. For example, the associated SQL Server Agent Service (unless disabled) and the SQL Server Launchpad (SQL Server 2016).

In order to see the Service(s) that are dependent on the SQL Server Service, click the
Dependencies tab. You will see the dependent services, if any, in the lower pane. For example:

Both of these Services (unless Disabled) must also be set to Delayed Start.

To apply solution by Command Line

  • Enter a Command Window As Administrator.
  • Run the following command: sc config servicekey start= delayed-auto. For example:
    sc config mssqlserver start= delayed-auto

  • As in the Services tab example, repeat for any services that are dependent on the SQL Server Service, for example:
    sc config SQLSERVERAGENT start= delayed-auto

Make the SQL Server Service dependent on the KMS Service

Make the SQL Server Service dependent on the Encryptionizer Key Management Service (KMS).

Add a KMS Process Exclusion to Windows Defender

Add a Process Exclusion to Windows Defender for the KMS Service Executable, typically:
C:\Program Files (x86)\NetLib\SECSQL\NLCBTASK.EXE

You can add the exclusion from Control Panel->Windows Defender->Settings->Exclusions->Add Exclusions>Processes.

Alternatively use Notepad to create a text file, for example, c:\temp\exclusion.reg. Add the following text to the file, specifying the full path to the NLCBTASK executable. For example:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes]
"c:\Program Files (x86)\NetLib\SECSQL\nlcbtask.exe"=dword:00000000

Note the double backslashes \\ in the path. This is required to properly import into the Registry. Then import the REG file using RegEdit, or import from a command line with this procedure:

  • Start a Command Window As Administrator.
  • Run this command line specifying the full path to the REG file you created
    REG IMPORT c:\temp\exclusion.reg

Lastly, if you are using the Encryptionizer Script Based Distribution Installer

You can specify Delayed Start or Dependency for the SQL Server Service in the INI file by using the delay= or depend= Value. For example:

;install.ini
[install]
dir=%programfiles%\netlib\secsql
reg=@reg.txt
reboot=yes
secure=secure.xml
[mssqlserver]
api=true
; set SQL service and any dependent services to delayed start
delay=true
; alternatively, make SQL Server service dependent on the KMS Service
depend=true

Last modified: 10/6/2017

Top