KB43724 - Pulse SAM fails to launch on Windows 10 with error "Failed to start jnpr TDI driver.(Error :1253)"

This article describes an issue where Pulse SAM fails to launch on Windows 10 with error "Failed to start jnpr TDI driver.(Error :1253).

Windows 10  users may encounter the following message when launching Pulse SAM connections:

Failed to start jnpr TDI driver.(Error :1253)

Screenshot:

This issue occurs due to an incompatibility with HVCI and the Pulse SAM TDI driver when Windows Defender Device Guard or Credential Guard is enabled on Windows 10 with one of the following options:

• Enabled with UEFI lock in the Virtualization Based Protection of Code Integrity
• Enabled without lock in the Virtualization Based Protection of Code Integrity 

When HVCI is enabled, Windows Defender Device Guard blocks access to the JNPR TDI driver which is required to start Secure Application Manager (SAM) service.

Starting in 9.0R3 release, Windows Device Guard feature is supported with Pulse Secure Application Manager (Pulse SAM) with the Pulse Desktop Client.  This feature is not supported with Legacy WSAM.

Workaround:

For Pulse SAM to work in versions prior to 9.0R3, it is necessary to disable HVCI options locally on the client PC as well as in the GPO.  

Refer to the following Tutorial for steps on disabling HVCI options for Device Guard and Credential Provider with or without UEFI lock enabled.

Note: It is still possible to use Windows Defender Application Control with Pulse SAM.  The conflict is specifically with Device Guard and Credential Provider options.
 

For more information on Windows Defender Application Control and Device Guard refer to the topics mentioned in the "Threat Protection" section of Microsoft Docs.