12 Replies Latest reply on Oct 4, 2017 3:19 AM by phoffmann

    Patching Windows 10 Provisioned in UEFI Mode

    MicahLong Apprentice

      We are running version 2016.3. We are having issues patching Windows 10 with Endpoint Security enabled. We do not have any issues patching when Endpoint Security is disabled. Under Application Control > Preventions by computer, I see logs that say a disallowed file access was detected, and they all point to the EFI partition on the computer. the path is \Device\HarddiskVolume1\EFI\Microsoft\Boot, and it references multiple folder under that directory that are all language packs formatted liked xx-XX. Somewhere along the lines, the EFI partition becomes full (it starts off with 500mb of space) and Windows updates start reverting. The only way we can get computers to patch is to free up space on the EFI partition by deleting language packs out of the aforementioned directory that are not English, installing an agent with endpoint security disabled, then patching the computer.

       

      Has anyone else run in to this before? an idea of what type of exclusion will need to be set in Endpoint Security in order for this to work properly?

        • 1. Re: Patching Windows 10 Provisioned in UEFI Mode
          phoffmann SupportEmployee

          Yes - I've seen this mentioned before. The guys in question extended the partition in question as pretty much the only solution (even 500 MB these days isn't exactly a lot).

           

          Should be under the OS Provisioning section - not sure if I have time to find the thread, but I'm pretty sure that's where I've seen it & how things were resolved.

           

          Still don't understand why Microsoft default to such a tiny size.

          • 2. Re: Patching Windows 10 Provisioned in UEFI Mode
            MicahLong Apprentice

            I followed the instructions that guy had to get the system partition from 100mb to 500mb, but it seems like it is filling it up no matter how large the system partition is. The error logs Im seeing in Endpoint and the fact that it works fine without tell me there has to be something related to Endpoint and a setting change is necessary in order for it to work.

            • 3. Re: Patching Windows 10 Provisioned in UEFI Mode
              phoffmann SupportEmployee

              I agree in principle.

               

              May be worth looking at an affected box & see what / where all of that disk space is disappearing into. The information that the disk is full is "interesting" from a symptom point of view, but knowing what things fill up the partition is the first step to finding out WHY they do so .

               

              And neat - great to see you did some digging of your own & found that thread I was thinking about.

               

              Should be a simple enough thing to just dive down after the largest directories and/or use a drive-mapping tool like SpaceMonger (if that's still free?) to help you hunt it down. Once you know what file(s) that is / are responsible for it, we'll be in a much better place to help you out & put this one to bed I think?

              • 4. Re: Patching Windows 10 Provisioned in UEFI Mode
                MicahLong Apprentice

                It is the individual language packs that are filling up. they are filling up with files called bootmgr.efi.mui and memtest.efi.mui. they have different extensions that look like gibberish (ex. - one is {3e0b561e-ca17-4ac0-bbe0-29010709ec08}). Each language folder is filling up to close to 11-12MBs.

                • 5. Re: Patching Windows 10 Provisioned in UEFI Mode
                  phoffmann SupportEmployee

                  ... ohkay ... I'm trying to figure out a way in which EPS would be in any shape or form related to that then as a factor & come up with blanks.

                   

                  Sounds to me like you might try to experiment with increasing the partion to (say) 1 GB and see if that helps?

                   

                  Even if EPS is slowing things down, it doesn't really take up disk-space to such a factor, if the problem seem to be the actual MUI patch-files themselves ...? Maybe a bit of a race condition of sorts (the patches install faster without EPS & get deleted sooner ... so that the build-up is less of an issue perhaps?).

                   

                  Somewhat grasping for straws, but that (the "induced race condition") is about the least terrible idea I can come up with as explanations go based on your descriptions. Even so, the fix would be "increase partition size" ...? Or have a tighter control over how many patches you put down at once? (Again - having difficulties in forming EPS as a factor into this logically ... )

                   

                  I don't see how / why the memory-test files would be different with EPS enabled/disabled (at least - to a factor to be sufficiently large enough to "trip" that 500 MB barrier ... unless you're skirting that 500 MB barrier without EPS and are literally "just beneath it" ?).

                  • 6. Re: Patching Windows 10 Provisioned in UEFI Mode
                    MicahLong Apprentice

                    okay. I will reimage the machine with a 1GB system partition. I will attempt with endpoint enabled and disabled and report back.

                    • 7. Re: Patching Windows 10 Provisioned in UEFI Mode
                      MicahLong Apprentice

                      update: after installing patches for Windows 10 1607, the updates installed successfully, but only left 11MBs free of the 1GB system partition. I am going to attempt to install Windows 10 vers. 1703, but I am doubtful it will work with that little space available. the language pack files have doubled in size, and it looks like they are just making copies of the file bootmgfw.efi.mui and bootmgr.efi.mui until it is filling up.

                      • 8. Re: Patching Windows 10 Provisioned in UEFI Mode
                        phoffmann SupportEmployee

                        Well - that at least clears that up - so Windows was "simply" running out of disk space.

                         

                        Is there a "nice and supported" way of clearing that partition out that Microsoft won't get a heart-attack over? It seems daft to have that tiny partition which won't be able to keep up with Microsoft's own patching regime surely ...?

                        • 9. Re: Patching Windows 10 Provisioned in UEFI Mode
                          MicahLong Apprentice

                          Microsoft just says that some security and antivirus solutions could possibly fill up the partition, and they give instructions to map the drive, take control of the files, and delete the unwanted ones.

                           

                          I have reimaged the machine and installed patches without Endpoint. The patches install successfully, and it is only using 20MB of the 1GB system partition. It is currently downloading Windows 10 1703, but i expect that to work as well this time.

                          • 10. Re: Patching Windows 10 Provisioned in UEFI Mode
                            phoffmann SupportEmployee

                            ... I'm still more than mildly confused why / how EPS should be a factor in any of this, considering that it's "just patching" essentially -- and the thing eating up the space is Microsoft patches (not us) ... so that doesn't add up to me.

                             

                            Happy to agree that you're seeing the problem WITH EPS and don't see it WITHOUT EPS ... just can't make head or tails of how / why EPS would be somehow "blocking" the OS from removing the files themselves...

                             

                            Since it seems reliable behaviour, you may want to throw it at support, see if the devs can figure out if it's "our fault" that Microsoft isn't deleting files (or whatever's going on), as Microsoft's patches aren't going to be getting smaller... .

                            • 11. Re: Patching Windows 10 Provisioned in UEFI Mode
                              MicahLong Apprentice

                              Yes, we have a ticket open as well. They asked for me to turn on debug mode in endpoint security, replicate the update issues, and then export the logs, which they are reviewing now hopefully.

                              • 12. Re: Patching Windows 10 Provisioned in UEFI Mode
                                phoffmann SupportEmployee

                                All righty.

                                 

                                If it ends up being filed as a defect, please do share the defect # in the thread, in case anyone else sees the issue as well, so they can easily find this & get subbed to that defect if needed.

                                 

                                Thanks!