Centrify Agent for Windows version 3.3.0 and earlier, on Windows Server 2012 R2 and Windows 8.1, with LSA protected mode enabledProblem:
After the initial reboot of system after installing Centrify Agent for Windows (dzwin) on Windows 8.1 or Windows server 2012 R2, the server will only boot up to a black screen.Cause:
This issue exists on Windows 8.1 or Windows Server 2012 R2 where Local Security Authority (LSA) protection has been enabled.
LSA protection is only available on Windows 8.1 and Windows Server 2012 R2.
In LSA protection mode, Microsoft requires all LSA plugins to be signed with EV certificate.
Centrify currently is not signing with the EV certificate, therefore, the Centrify LSA plugins are not being loaded by Microsoft Windows.
Thus causing the black screen on boot.Workaround:
To get the machine to boot correctly again, the registry can be edited to turn off the LSA protected mode.Steps to disable LSA protection:
1. Press F8 at boot screen.
2. Select "Repair Your Computer"
3. Select "Troubleshoot"
4. Select "Command Prompt"
5. Pick Administrator as the user and provide the Administrator password
6. When cmd prompt comes up, type 'Regedit' to start regedit, and then select the HKLM (HKEY_LOCAL_MACHINE) node.
7. Go to "File" and choose "Load Hive"
Note: If the wrong node is chosen, the "Load Hive" menu will be disabled.
8. The default location will be in X: or similar. Choose the file c:\windows\system32\config\SYSTEM. This is local system registry hive.
9. Name the hive "C_HKLM" or something similar.
10. The newly loaded hive can be found under HKEY_LOCAL_MACHINE
11. Go to the registry key that is located at: HKEY_LOCAL_MACHINE\C_HKLM\ControlSet001\Control\Lsa
a) Delete the following value from the registry key: "RunAsPPL"=dword:00000001
12. Restart the system
Upgrade to the 2016.1 (3.3.1) and later versions of the Centrify Agent for Windows.
After upgrading to the 2016.1 or later Centrify Agent for Windows, LSA protection can be re-enabled.Note:
Microsoft article on how to enable, disable, and verify if LSA protected mode is enabled.https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx
(link provided as courtesy)