Windows Defender Credential Guard: Known issues

Applies to

  • Windows 10
  • Windows Server 2016

Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when it is enabled. For further information, see Application requirements.

The following known issue has been fixed in the Cumulative Security Update for November 2017:

  • Scheduled tasks with stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
    "Task Scheduler failed to log on ‘\Test’ .
    Failure occurred in ‘LogonUserExEx’ .
    User Action: Ensure the credentials for the task are correctly specified.
    Additional Data: Error Value: 2147943726. 2147943726 : ERROR_LOGON_FAILURE (The user name or password is incorrect)."

The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:

Known issues involving third-party applications

The following issue affects the Java GSS API. See the following Oracle bug database article:

When Windows Defender Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see Application requirements.

The following issue affects Cisco AnyConnect Secure Mobility Client:

*Registration required to access this article.

The following issue affects McAfee Application and Change Control (MACC):

The following issue affects AppSense Environment Manager. For further information, see the following Knowledge Base article:

The following issue affects Citrix applications:

  • Windows 10 machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [1]

[1] Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:

For further technical information on LSAISO.exe, see the MSDN article: Isolated User Mode (IUM) Processes

** Registration is required to access this article.

Vendor support

See the following article on Citrix support for Secure Boot:

Windows Defender Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions: