diff --git a/dlls/secur32/tests/negotiate.c b/dlls/secur32/tests/negotiate.c
index 095aee6cb57..5e5beed7f77 100644
--- a/dlls/secur32/tests/negotiate.c
+++ b/dlls/secur32/tests/negotiate.c
@@ -297,7 +297,9 @@ static void test_authentication(void)
         ok( pi->fCapabilities == NTLM_BASE_CAPS ||
             pi->fCapabilities == (NTLM_BASE_CAPS|SECPKG_FLAG_READONLY_WITH_CHECKSUM) ||
             pi->fCapabilities == (NTLM_BASE_CAPS|SECPKG_FLAG_RESTRICTED_TOKENS) ||
-            pi->fCapabilities == (NTLM_BASE_CAPS|SECPKG_FLAG_RESTRICTED_TOKENS|
+            pi->fCapabilities == (NTLM_BASE_CAPS|SECPKG_FLAG_RESTRICTED_TOKENS|SECPKG_FLAG_APPCONTAINER_CHECKS) ||
+            pi->fCapabilities == (NTLM_BASE_CAPS|SECPKG_FLAG_RESTRICTED_TOKENS|SECPKG_FLAG_APPLY_LOOPBACK) ||
+            pi->fCapabilities == (NTLM_BASE_CAPS|SECPKG_FLAG_RESTRICTED_TOKENS|SECPKG_FLAG_APPLY_LOOPBACK|
                                   SECPKG_FLAG_APPCONTAINER_CHECKS),
             "got %08x\n", pi->fCapabilities );
         ok( pi->wVersion == 1, "got %u\n", pi->wVersion );
diff --git a/dlls/secur32/tests/ntlm.c b/dlls/secur32/tests/ntlm.c
index 6b1249d2017..930a49e451b 100644
--- a/dlls/secur32/tests/ntlm.c
+++ b/dlls/secur32/tests/ntlm.c
@@ -929,7 +929,9 @@ static void testAuth(ULONG data_rep, BOOL fake)
         ok(pi->fCapabilities == NTLM_BASE_CAPS ||
            pi->fCapabilities == (NTLM_BASE_CAPS|SECPKG_FLAG_READONLY_WITH_CHECKSUM) ||
            pi->fCapabilities == (NTLM_BASE_CAPS|SECPKG_FLAG_RESTRICTED_TOKENS) ||
-           pi->fCapabilities == (NTLM_BASE_CAPS|SECPKG_FLAG_RESTRICTED_TOKENS|
+           pi->fCapabilities == (NTLM_BASE_CAPS|SECPKG_FLAG_RESTRICTED_TOKENS|SECPKG_FLAG_APPCONTAINER_CHECKS) ||
+           pi->fCapabilities == (NTLM_BASE_CAPS|SECPKG_FLAG_RESTRICTED_TOKENS|SECPKG_FLAG_APPLY_LOOPBACK) ||
+           pi->fCapabilities == (NTLM_BASE_CAPS|SECPKG_FLAG_RESTRICTED_TOKENS|SECPKG_FLAG_APPLY_LOOPBACK|
                                  SECPKG_FLAG_APPCONTAINER_CHECKS),
            "got %08x\n", pi->fCapabilities);
         ok(pi->wVersion == 1, "got %u\n", pi->wVersion);
diff --git a/dlls/secur32/tests/schannel.c b/dlls/secur32/tests/schannel.c
index 426bf66014e..217dbe8dfaa 100644
--- a/dlls/secur32/tests/schannel.c
+++ b/dlls/secur32/tests/schannel.c
@@ -435,11 +435,13 @@ static void testAcquireSecurityContext(void)
     ok(ret, "CertSetCertificateContextProperty failed: %08x\n", GetLastError());
     st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
         NULL, &schanCred, NULL, NULL, &cred, NULL);
-    ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_INTERNAL_ERROR /* WinNT */,
+    ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_INTERNAL_ERROR /* WinNT */ ||
+       st == SEC_E_INSUFFICIENT_MEMORY /* win10 */,
        "Expected SEC_E_UNKNOWN_CREDENTIALS or SEC_E_INTERNAL_ERROR, got %08x\n", st);
     st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
         NULL, &schanCred, NULL, NULL, &cred, NULL);
-    ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_INTERNAL_ERROR /* WinNT */,
+    ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_INTERNAL_ERROR /* WinNT */ ||
+       st == SEC_E_INSUFFICIENT_MEMORY /* win10 */,
         "Expected SEC_E_UNKNOWN_CREDENTIALS or SEC_E_INTERNAL_ERROR, got %08x\n", st);
 
     ret = CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL,
@@ -489,12 +491,13 @@ static void testAcquireSecurityContext(void)
         schanCred.dwVersion = SCH_CRED_V3;
         st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_OUTBOUND,
          NULL, &schanCred, NULL, NULL, &cred, NULL);
-        ok(st == SEC_E_OK, "AcquireCredentialsHandleA failed: %08x\n", st);
+        ok(st == SEC_E_OK || st == SEC_E_INSUFFICIENT_MEMORY /* win10 */,
+           "AcquireCredentialsHandleA failed: %08x\n", st);
         FreeCredentialsHandle(&cred);
         st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
          NULL, &schanCred, NULL, NULL, &cred, NULL);
-        ok(st == SEC_E_OK ||
-           st == SEC_E_UNKNOWN_CREDENTIALS, /* win2k3 */
+        ok(st == SEC_E_OK || st == SEC_E_UNKNOWN_CREDENTIALS /* win2k3 */ ||
+           st == SEC_E_INSUFFICIENT_MEMORY /* win10 */,
            "AcquireCredentialsHandleA failed: %08x\n", st);
         FreeCredentialsHandle(&cred);
         schanCred.dwVersion = SCHANNEL_CRED_VERSION;
@@ -533,7 +536,7 @@ static void testAcquireSecurityContext(void)
            st == SEC_E_INVALID_TOKEN /* WinNT */, "st = %08x\n", st);
         st = AcquireCredentialsHandleA(NULL, unisp_name_a, SECPKG_CRED_INBOUND,
          NULL, &schanCred, NULL, NULL, &cred, NULL);
-        ok(st == SEC_E_UNKNOWN_CREDENTIALS,
+        ok(st == SEC_E_UNKNOWN_CREDENTIALS || st == SEC_E_NO_CREDENTIALS,
          "Expected SEC_E_UNKNOWN_CREDENTIALS, got %08x\n", st);
         /* FIXME: what about two valid certs? */
 
@@ -866,7 +869,8 @@ todo_wine
     }
 
     ok(buffers[0].pBuffers[0].cbBuffer == 0, "Output buffer size was not set to 0.\n");
-    ok(status == SEC_E_OK, "InitializeSecurityContext failed: %08x\n", status);
+    ok(status == SEC_E_OK || broken(status == SEC_E_ILLEGAL_MESSAGE) /* winxp */,
+       "InitializeSecurityContext failed: %08x\n", status);
     if(status != SEC_E_OK) {
         skip("Handshake failed\n");
         return;
diff --git a/include/sspi.h b/include/sspi.h
index ad423eed90c..036d2cf2f82 100644
--- a/include/sspi.h
+++ b/include/sspi.h
@@ -174,6 +174,7 @@ SECURITY_STATUS WINAPI AddSecurityPackageW(LPWSTR,SECURITY_PACKAGE_OPTIONS*);
 #define SECPKG_FLAG_APPCONTAINER_PASSTHROUGH     0x00400000
 #define SECPKG_FLAG_APPCONTAINER_CHECKS          0x00800000
 #define SECPKG_FLAG_CREDENTIAL_ISOLATION_ENABLED 0x01000000
+#define SECPKG_FLAG_APPLY_LOOPBACK               0x02000000
 
 #define SECPKG_ID_NONE  0xffff