After enabling LSA Protection mode (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL=1) on Windows 2012 R2 domain controller - dcagent.dll stop working. No events from this dc in "view logon events" button on Collector, no record for this domain controller on "show monitored DCs" button, empty dcagent log (enable_log=1 in HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent)
In Microsoft-Windows-CodeIntegrity/Operational event log - events CodeIntegrity 3033:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\dcagent.dll that did not meet the Microsoft signing level requirements.
My dcagent.dll verison is 5.0.271
Maybe newer version of dcagent.dll can work with LSA Protection mode?
Or if any dcagent.dll is incompatible with LSA Protection mode - add this to documentation?
When Windows Local Security Authority (LSA) Protection is enabled, Windows blocks all 3rd party plugins, including Authlogics Domain Controller Agent, from accessing the Local Security Authority. This Windows feature was designed predominantly for desktop OS's to prevent malware from stealing password hashes, however, the feature is also available on Windows Server.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.