🟠 High   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2016

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

After enabling Credential Guard on Windows Server 2016, legacy authentication, single sign-on tools, and some VPN clients fail because they rely on unconstrained delegation or wdigest credentials.

Environment & Reproduction

Reproducible on hosts where Virtualization-Based Security is enabled with credential isolation.

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace rootMicrosoftWindowsDeviceGuard
bcdedit /enum {current}

Root Cause Analysis

Credential Guard blocks wdigest, NTLMv1, Kerberos unconstrained delegation, and CredSSP credential delegation.

Quick Triage

Check current VBS/Credential Guard status.

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace rootMicrosoftWindowsDeviceGuard | Select SecurityServicesRunning,SecurityServicesConfigured
Get-ItemProperty 'HKLM:SYSTEMCurrentControlSetControlLsa' -Name LsaCfgFlags

Step-by-Step Diagnosis

Identify the offending feature in the application using auth logs and process traces.

Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624 or EventID=4625]]" -MaxEvents 30
Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' -MaxEvents 20
Illustrative mockup for windows-server-2016 β€” error_dialog
App error dialog after Credential Guard enabled β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Reconfigure the app to use modern auth or Kerberos constrained delegation.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Set-ADComputer APP01 -PrincipalsAllowedToDelegateToAccount (Get-ADComputer SQL01)
klist purge
Restart-Service IISADMIN
Illustrative mockup for windows-server-2016 β€” terminal_or_powershell
DeviceGuard PowerShell status β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Temporarily disable Credential Guard while the app vendor updates support.

reg add HKLMSYSTEMCurrentControlSetControlLsa /v LsaCfgFlags /t REG_DWORD /d 0 /f
bcdedit /set hypervisorlaunchtype off
Restart-Computer

Verification & Acceptance Criteria

Application authenticates successfully and Credential Guard status remains as required.

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace rootMicrosoftWindowsDeviceGuard
klist sessions

Rollback Plan

Re-enable Credential Guard once the app is fixed via Group Policy.

reg add HKLMSYSTEMCurrentControlSetControlLsa /v LsaCfgFlags /t REG_DWORD /d 1 /f
bcdedit /set hypervisorlaunchtype auto

Prevention & Hardening

Pilot Credential Guard on a small set, document compatibility, and migrate apps off wdigest/CredSSP.

Get-WinEvent -LogName 'Microsoft-Windows-DeviceGuard/Operational' -MaxEvents 20

Linked to LSASS protection, RDP CredSSP issues, and LSA protection rollouts.

Related tutorial: View the step-by-step tutorial for Windows Server 2016.

View all Windows Server 2016 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Credential Guard requirements, VBS, and app compatibility guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.