STATUS_HASH_NOT_SUPPORTED (0XC000A100) Fixed on Windows Server

If you're hitting 0XC000A100, you're probably staring at a domain controller or file server that just refuses to authenticate or serve files. Frustrating. Let's fix it.

The Quick Fix

Open PowerShell as Administrator on the server and run:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "DisablePasswordChange" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "MaximumPasswordAge" -Type DWord -Value 30
Restart-Service Netlogon -Force

If that doesn't work, also enable all supported hash types for SMB:

Set-SmbServerConfiguration -EnableSecuritySignature $true -Force
Set-SmbServerConfiguration -RequireSecuritySignature $false -Force

Then reboot the server. Test your authentication or file access again.

Why This Works

What's actually happening here is that the server's Netlogon service has either disabled password changes entirely or set the maximum password age too high—or both. The error 0XC000A100 means the server can't generate a hash for the requested version and type, because the underlying password hash store is stale or locked.

The first registry keys force Netlogon to allow password changes (DisablePasswordChange=0) and set a reasonable 30-day rotation. Without this, the machine account password—used for Kerberos and NTLM authentication—never changes, and older hashes become invalid. The server then refuses to generate new hashes for requests that don't match what it has cached.

The SMB commands toggle signing behavior. Some clients (like older Linux SMB clients or specific Windows 10 builds) require a hash that the server's SMB stack won't generate unless signing is enabled or required. Setting EnableSecuritySignature to true forces the server to generate the appropriate signing hash, which satisfies the client's request.

Less Common Variations

Sometimes the same error pops up in different contexts. Here's what I've seen:

• DFS Replication: If you see 0XC000A100 in the DFS Replication event log, the issue is the machine account password between domain controllers. Run Reset-ComputerMachinePassword on each DC, then restart the DFSR service.
• IIS with Kerberos delegation: IIS throws this when the service principal name isn't registered. Use setspn -A HTTP/server.domain.com server$ to fix it.
• Hyper-V Live Migration: Constrained delegation permissions are missing. Check that the computer accounts have "Trust this computer for delegation to specified services only" and the CIFS SPN is listed.
• Third-party NAS integration: Some NAS devices request legacy LM or NTLMv1 hashes that modern Windows Server 2019/2022 disable by default. Enable them via Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > "Network security: LAN Manager authentication level" — set to "Send LM & NTLM - use NTLMv2 session security if negotiated".

Prevention Going Forward

Three things to keep this error from coming back:

1. Keep Netlogon password change enabled. Don't ever set DisablePasswordChange to 1 unless you're debugging something very specific. It breaks machine account password sync.
2. Monitor your domain controller certificate health. If you're using PKINIT (smart card auth) or LDAP over SSL, expired or revoked certificates can trigger this error indirectly—the server sees the client's request but can't generate the right hash because the trust chain is broken.
3. Review SMB signing policies. If you mix Windows and Linux clients, default signing settings on Windows Server 2022 can cause this. Set EnableSecuritySignature and RequireSecuritySignature consistently across all servers in the same AD site.

That's it. No registry hacks that don't matter. No fluff. If you still see 0XC000A100 after these steps, check your Event Viewer > System and look for Netlogon Event ID 5719 or 5722—those tell you exactly which machine account password is stale.