If you're working with a Windows Server 2012/2012 R2 server that has had DISA Security Technical Implementation Guide (STIG) mitigations implemented and attempting to promote that server to a domain controller, you will very likely encounter an error that forces the server to reboot automatically.
If you see "A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000417" in your System log, it has been my experience that the password filter required by STIG ID: WN12-GE-000009 (Rule ID: SV-52104r1_rule, Vuln ID: V-1131) is the cause.
To Disable the Password Filter:
- Open the Registry Editor (
regedit.exe). - Navigate to:
HKLM\System\CurrentControlSet\Control\LSA - Locate the Notification Packages value.
- Remove EnPasFltV2x86 and/or EnPasFltV2x64 from the list.
- Restart the server.
In a related note, very little documentation is available about the compatibility of "EnPasFltV2" with Windows Server 2012 R2. Do not assume that this password filter module is stable or compatible just because it is a STIG requirement. Using it alongside other tools, such as Microsoft LAPS, has been known to cause similar LSASS termination loops.
Reference: For more on password filter development and LSA notification packages, see the Microsoft Developer Documentation.