the windows security log event id 4797 with a description of “an attempt was made to query the existence of a blank password for an account.” and target account name wdagutilityaccount is related to windows defender application guard. it was found during digging through event logs because of separate issue.
an attempt was made to query the existence of a blank password for an account. subject: security id: local service account name: local service account domain: nt authority logon id: 0x3e5 additional information: caller workstation: visualblindfx target account name: wdagutilityaccount target account domain: visualblindfx
the following was found here https://blogs.technet.microsoft.com/drew/2017/07/15/wdagutilityaccount/.
if you see an alert in your log solution for a new local account created for username: wdagutilityaccount (event id 4720 or 4722).
this account is part of windows defender application guard which is included with rs3 (aka windows 10 fall update). the account is disabled also wdag is not enabled. basically you have user enrolled in the windows 10 insider program and their box was updated with a new build that includes the wdag bits.
