Credential Provider Conflict Prevents Password Policies from Displaying

Symptom

When Thales SafeNet MFA and the Netwrix Password Policy Enforcer (PPE) Client are both installed on the same system:

The PPE Client does not display password policies.
Thales SafeNet MFA may not function correctly.

Cause

The Thales SafeNet agent installs a credential provider under HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\AuthGINA (CRYPTOCard is the legacy Thales subsidiary whose agent manages this key). By default, the agent blocks all other credential providers to prevent MFA bypass. The DoNotFilter registry value acts as an allowlist — only credential providers whose GUIDs are listed there are permitted to load alongside the Thales SafeNet provider.

Resolution

Open Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\AuthGINA.
Add the PPE Client GUID to the DoNotFilter registry value to allow the PPE Client to load alongside the Thales SafeNet credential provider:

{F347212E-AF6B-4726-92B3-E4DF3388D58C}

NOTE: For more information on these registry settings, see Registry Settings ⸱ Thales 🡥.

Reboot, then press CTRL+ALT+DEL and select Change Password to verify that password policies now appear for the end user.

Symptom​

Cause​

Resolution​

Symptom

Cause

Resolution