Posting here for everyone else experiencing the same problem, after long troubleshooting series of events with Microsoft engineers;
This is caused by AppSense querying LSAISO.exe.
So to find out if it is impacting you, there are two qualifiers:
1- looking at process CPU time, LSAISO stays above 25%.
2- AppSense is installed
If you don't have both conditions above, your problem most likely has a different root cause.
Troubleshooting:
- We have tried to disable the credential guard on the test machine, to see, if we disable the credential guard does the CPU usage comes to normal on the Citrix machine or not, found that once its disabled, the CPU usage was normal.
Find the commands which we ran to disable the credential guard.
- We have logged into the server on console that has high CPU.
- Open an elevated command prompt and run these commands:
cd %systemroot%\System32
mountvol X: /s
copy .\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
manage-bde -protectors -disable %systemdrive%
REG DELETE HKLM\Software\Policies\Microsoft\Windows\DeviceGuard /v EnableVirtualizationBasedSecurity /f
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard /v EnableVirtualizationBasedSecurity /f
REG DELETE HKLM\Software\Policies\Microsoft\Windows\DeviceGuard /v LsaCfgFlags /f
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\Lsa /V LsaCfgFlags /F
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
mountvol X: /d
shutdown -r -t 0
- When prompted we must hit F3 to disable LSAISO and then hit any key to confirm the change
- When prompted we must hit F3 to disable VBS and then hit any key to confirm the change
After disabling, we have followed the below steps to make the LSAISO.exe process to run in debug mode to see, if in debug mode we see the same issue or not, however we have found that, we didn’t notice the issue.
- Run these commands from an elevated command prompt and reboot:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /V LsaCfgFlagsTest /t REG_DWORD /d 1 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v DisablePagingExecutive /t REG_DWORD /d 1 /f
- Reboot the computer verify lsaiso.exe is running.
- Right-click the process in taskmgr and verify Create Dump generates a dump greater than 0K in size. If it does, then lsaiso.exe is running in normal memory and can be debugged.
Resolution :
Before collecting the required logs, I have tried to cross check and found that, on the Citrix machine where we have appsense installed, this has a known issue with that, hence, to apply the fix we have followed the below process, and we have found that, CPU usage came to normal state now.
Open Regedit and navigate to:
HKLM\Software\AppSense\Environment Manager\ASModLdr
Edit the "Exceptions" value.
Add a new line at the bottom containing LsaIso.exe (the fourth letter is a capital I for India, not lower-case L for Lima)
Save the value.
Reboot the machine.
We have monitored the CPU and found that it came to normal state now. (LsaIso shows 0% CPU and overall CPU dropped by 60%)
