Share via

Credential Guard behaves different on Win 11

Samir Sayyed 0 Reputation points
2024-06-07T13:47:06.22+00:00

We have configured MSLSA cache to store Kerberos credentials which is later used in our code for authentication purposes. Here if credential guard is enabled our code is not able to fetch credentials from cache and results in below error.
**Matching credential not found

FYI, we use the MIT Kerberos library API's to access the MSLSA cache.

Command to check if Credential Guard is enabled: 

PS C:\WINDOWS\system32> (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
1

Everything works if it is disabled

PS C:\WINDOWS\system32> (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
0

Another observation is, if below setting is made on a different system, it weirdly works:

PS C:\WINDOWS\system32> (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
1
2

Can someone tell me what is causing this behavior ? Are we missing some configuration, or is this another issue ? Please note cache is accessed with the logged in user.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,932 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,941 questions
0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.