Search Knowledge Base
KB #240119: Encrypted Databases Not Accessible After Reboot but are Accessible After Manually Restarting SQL Server
Databases may be inaccessible, listed as Suspect or Recovery Pending after reboot. However, if you then manually start/restart SQL Server, encrypted database(s) is accessible. This is due to Windows starting the SQL Server Service before the Encryptionizer Key Management Service (KMS) has fully started. This particularly affects Windows 10 and Server 2016 due to Windows Defender slowing down the KMS startup time.
Several workarounds are shown below:
- Set the SQL Server Service (and any dependent Services) to Delayed Auto-Start
- Make the SQL Server Service dependent on the KMS Service
- Add a KMS Process Exclusion to Windows Defender
- (See notes at the bottom if you are using the script-based Distribution Installer)
Set the SQL Server Service to Delayed Auto-Start
This will instruct Windows to delay starting the Service(s) for approximately one minute after reboot. During this time, KMS will be able to fully start before the SQL Server Service starts. You can use the Services Tab or Command Line. You can apply this by the Services Tab or by Command Line.
To apply solution by the Services Tab
Start the Services tab (or Run Services.msc). Select the SQL Server Service. Change the Service Start type from Automatic to Automatic (Delayed Start).
Note that you must also set Delayed Start for any non-disabled services that depend on the SQL Server Service. For example, the associated SQL Server Agent Service (unless disabled) and the SQL Server Launchpad (SQL Server 2016).
In order to see the Service(s) that are dependent on the SQL Server Service, click the
Dependencies tab. You will see the dependent services, if any, in the lower pane. For example:
Both of these Services (unless Disabled) must also be set to Delayed Start.
To apply solution by Command Line
- Enter a Command Window As Administrator.
- Run the following command:
sc config servicekey start= delayed-auto. For example:
sc config mssqlserver start= delayed-auto
- As in the Services tab example, repeat for any services that are dependent on the SQL Server Service, for example:
sc config SQLSERVERAGENT start= delayed-auto
Make the SQL Server Service dependent on the KMS Service
Add a KMS Process Exclusion to Windows Defender
Add a Process Exclusion to Windows Defender for the KMS Service Executable, typically:
C:\Program Files (x86)\NetLib\SECSQL\NLCBTASK.EXE
You can add the exclusion from Control Panel->Windows Defender->Settings->Exclusions->Add Exclusions>Processes.
Alternatively use Notepad to create a text file, for example, c:\temp\exclusion.reg. Add the following text to the file, specifying the full path to the NLCBTASK executable. For example:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes] "c:\\Program Files (x86)\\NetLib\\SECSQL\\nlcbtask.exe"=dword:00000000
Note the double backslashes \\ in the path. This is required to properly import into the Registry. Then import the REG file using RegEdit, or import from a command line with this procedure:
- Start a Command Window As Administrator.
- Run this command line specifying the full path to the REG file you created
REG IMPORT c:\temp\exclusion.reg
Lastly, if you are using the Encryptionizer Script Based Distribution Installer
You can specify Delayed Start or Dependency for the SQL Server Service in the INI file by using the
depend= Value. For example:
;install.ini [install] dir=%programfiles%\netlib\secsql firstname.lastname@example.org reboot=yes secure=secure.xml [mssqlserver] api=true ; set SQL service and any dependent services to delayed start delay=true ; alternatively, make SQL Server service dependent on the KMS Service depend=true
Last modified: 10/6/2017