lsass.exe, failed with status code c0000417 on DISA STIG'd Server Resulting from "EnPasFltV2" Password Filter

If you're working with a Windows Server 2012/2012 R2 server that has had DISA Security Technical Implementation Guide (STIG) mitigations implemented and attempting to promote that server to a domain controller, you will very likely encounter an error that forces the server to reboot automatically. If you see "A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000417.", in your System log, it has been my experience that the password filter required by STIG ID: WN12-GE-000009 Rule ID: SV-52104r1_rule Vuln ID: V-1131 is the cause of this issue. In order to provision a pre-STIG'd image as a domain controller, this password filter must be disabled.

To disable the password filter:

  • Remove "EnPasFltV2x86" and/or "EnPasFltV2x64" references in the "Notification Packages" value from the "HKLM\System\CurrentControlSet\Control\LSA" registry key.

In a related note, very little documentation is available about compatibility of "EnPasFltV2" with Windows Server 2012/2012 R2 is available. I would recommend that you do not assume that this password filter module is compatible just because the STIG suggests its use.