Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,598 questions
Hi.
Please refer to this article:
Hope the information is helpful.
Windows 11 22H2 - Remote Credential Guard (RCG) hop (SMB) not working.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 37%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZE%3C/text%3E%3C/svg%3E)
Zacharias Embaxter
60
Reputation points
Hello,
apparently the "double-hop" problem (https://learn.microsoft.com/en-us/answers/questions/744867/remote-credential-guard-double-hop-issue-after-ser) when using Remote Credential Guard (RCG) on a Windows 11 22H2 (Build 22621.1702) endpoint is present again. I.e. after connecting via mstsc /remoteGuard to a Windows 11 PC it is not possible to access network drives. A login dialog appears with the error message "No connection to a domain controller could be established to handle the authentication request."
Win11 configuration (target system):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
"DisableRestrictedAdmin"=dword:00000000
(https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard)
Configuration Win10/Win11 (source system):
Encryption Oracle Remediation - Force: Updated Clients
Remote host allows delegation of non-exportable credentials - Active
Restrict delegation of credentials to remote servers - Active (Require Remote Credential Guard)
The only thing that currently helps is to lock the computer 1x and log in again. After that the connection to network drives etc. works.
The problem does not exist between Windows 10 systems with the same GPO settings. There everything works as it should (even with activated Credential Guard).
Any help would appreciated. Thx.
cu..
Z. Embaxter
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 6%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Stewart Myles 1 Reputation point2023-10-12T21:56:40.55+00:00 Did you manage to find a solution? Our Windows 10 units are working ok but the Windows 11 have no mapped drives
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
MTG 1,221 Reputation points2023-10-13T08:24:00.5133333+00:00 Believe it or not, as of yesterday, there is hope.
MS support contacted me about my support request and said that it's a confirmed bug and that they will resolve it (planned) with the december 2023 cumulative update, possibly already with the preview update (late november 23).
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 33%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Jonatan Kragh Hovgaard 1 Reputation point2023-11-22T14:21:57.9333333+00:00 I have the exact same problem. I have been struggling with this for the last couple of weeks. Happy so realize that I am not completely alone with this problem. Do you have a bug ID or similar so that I can track the progress with Microsoft myself?
-
MTG 1,221 Reputation points
2023-11-22T14:56:28.4433333+00:00 No bug ID that is public, no. I expect MS to serve an update for this next week. Will let you know as soon as I tested it (and I will, as soon as it is released).
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 31%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
David Tapuchi 0 Reputation points2023-11-22T18:20:54.2266667+00:00 I have this issue connecting from Windows 11 to Server 2022. Do you have any more details on the planned fix?
Which OS will be patched? -
MTG 1,221 Reputation points
2023-11-23T08:54:19.3633333+00:00 No details. Just that it will be the optional update next week. I told them that all OS' (and all server OS') are affected, so they know about server 2022 and will rectify that.
-
David Tapuchi 0 Reputation points
2023-11-23T21:51:48.4966667+00:00 Never mind, I tested this on some Windows 11 machines and discovered that the Remote Credential Guard GPO works as "All or Nothing"
If it's enabled, I can only initiate RDP connections using my current credentials. No idea why they did not add an option to force it only for specific hosts (similar to the delegation policy) or add a fallback.
So Credential Guard is out for my environment.
-
MTG 1,221 Reputation points
2023-11-24T08:47:17.6566667+00:00 David, you may use alternate Credentials. Simply start mstsc.exe as using runas or scripted with psexec as other user. That's what we do here.
-
MTG 1,221 Reputation points
2023-11-24T08:49:02.3133333+00:00 David, what we do in this situation: start mstsc.exe as other user. The credentials of that user are passed on, then. Use runas or psexec (or context menu [shift right-click] : run as different user)
-
David Tapuchi 0 Reputation points
2023-11-29T16:30:00.42+00:00 Thanks, interesting solution. Why do you need to use runas, once you open mstsc as "other user"?
-
MTG 1,221 Reputation points
2023-11-30T08:10:46.2833333+00:00 That's a misunderstanding. I was telling you how to run mstsc as other user - either interactive using right-click or scripted (batch) using psexec :-)
-
MTG 1,221 Reputation points
2023-12-05T08:54:38.6833333+00:00 The preview update for Win11 23H2 came in yesterday. NOT FIXED.
I contacted the MS support people and asked to what date the fix was delayed to. Will let you know what they answered.
-
MTG 1,221 Reputation points
2023-12-13T05:30:46.9466667+00:00 They haven't answered yet. That's support!
The december CU doesn't contain the fix, either. I hope the december D week will contain it. XMas present.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 65%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
jaltmann 11 Reputation points2024-01-10T20:35:34.9166667+00:00 I can confirm we are also having issues with Windows 10/11 beyond version 21H2 having the issue. When support for 21H2 expires in Jun 2024, this is going to reduce the security posture of organizations that rely on RCG in helping to limit lateral movement as there doesn't appear to be any work around other than removing the ability to utilize RCG. This is a BIG issue that needs attention.
-
Jonatan Kragh Hovgaard 1 Reputation point
2024-01-16T08:37:00.8833333+00:00 Has anyone managed to find a workaround for this issue? I am seeing this problem at several customers, but I also have a customer where we haven't seen the problem yet. @MTG do you have a MSFT bug ID? I am planning to raise another ticket with MSFT. It would be really helpful to have a bug ID for referral.
-
MTG 1,221 Reputation points
2024-01-16T08:41:34.84+00:00 Hi Jonatan. I have a tracking ID for my yet unresolved issue, yes. It's #2307060030003531 Since the ticket was closed and a patch was promised (which did not arrive, yet) I reopened it just yesterday and will be on the phone with their support today or tomorrow and will let you know when they plan to finally deliver the promised update.
-
MTG 1,221 Reputation points
2024-01-19T09:45:38.43+00:00 Spoke to support. They are not able to tell if the fix was already delivered or not (!?) and will need to investigate. Told them that if it was delivered, it doesn't work. They made out the next telephone call for the 25th of Jan.
-
Jonatan Kragh Hovgaard 1 Reputation point
2024-01-24T17:06:18.4933333+00:00 Thanks. I am really looking forward to hear what Microsoft can tell you tomorrow. I have 4-5 installations that used to work with Windows 10, but now prompts for credentials when the users attempt to access network drives via RDS. I really cannot understand why this hasn't received more attention by Microsoft yet. They are pushing "Passwordless" as a strategy, but at same time they break it down on RDS.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 79%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Chris 10 Reputation points2024-01-25T20:59:58.3633333+00:00 How did your meeting go MTG? We’re in the midst of evaluating Windows Hello for Business for our Windows 11 clients, and this is stopping us in our tracks. Interested to hear how you got on. :) Thanks, Chris
-
MTG 1,221 Reputation points
2024-01-26T08:26:49.05+00:00 Support told me that the fix was postponed (no reason given). Its release is expected in the last week of march 24 as optional update (will of course be part of the regular CU of April as well). Waiting...waiting...waiting.
-
Chris 10 Reputation points
2024-01-31T22:45:08.13+00:00 This reminds me of the AOVPN issue where Microsoft didn’t fix it for nearly two years after launch, but it still worked perfectly on Windows 10. Very disappointing that Microsoft are pushing orgs to Windows 11 and Passwordless, yet features work better on previous versions.
-
Chris 10 Reputation points
2024-02-16T12:58:29+00:00 FYI for anyone wondering, not fixed in February CU Release Preview (KB5034848). Fingers crossed for March CU Release Preview. Please don't let us down Microsoft...
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 88%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
JayL 0 Reputation points2024-03-06T19:43:27.2766667+00:00 Just tried to implement RCG and run into the same issue. Hopefully MS can fix it soon.
-
Chris 10 Reputation points
2024-03-21T18:53:00.6933333+00:00 Latest Windows 11 Release Preview build (KB5035942) which just released seems to have fixed it for us. Fingers crossed it makes its way to the GA channel next month.
-
Chris 10 Reputation points
2024-03-21T21:35:56.17+00:00 Scrap what I said above, it looks like there is another issue now.
Whilst you can authenticate against resources (such as file shares) within RDP successfully, you have to do it by IP address. Attempting to do it by FQDN/hostname results in failure about not being able to find the resource.
DNS works fine on the server, can ping resources. Klist shows tickets issued against the hostnames/fqdn, at a loss as to why it's not working.
Hopefully someone else can chime in.
-
MTG 1,221 Reputation points
2024-03-22T06:40:04.4333333+00:00 Doesn't work here, either! I will reopen the case and tell them a word or two, now, you can believe me.
-
MTG 1,221 Reputation points
2024-03-22T06:41:43.5533333+00:00 doublepost due to refresh problems of this great site
-
Chris 10 Reputation points
2024-03-22T18:44:51.4033333+00:00 Let us know how you get on MTG, it's depressing how long this is taking to remediate.
Is your issue the same as mine where DNS just fails completely for accessing anything with RCG? Kerberos tickets are generated (including hostname!) and can access by IP.
DNS works from CMD, just doesn't work with anything using the RCG auth context - making it basically useless still.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 25%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Matthias Holzner 0 Reputation points2024-04-11T12:19:49.35+00:00 Update 11.April.2024: For me, the April Updates didn't solve the issue. Same for you?
-
MTG 1,221 Reputation points
2024-04-11T12:21:54.6466667+00:00 Matthias, did you install the updates on "both ends"? There were updates needed for all servers and all client OS'. It works here.
-
Matthias Holzner 0 Reputation points
2024-04-12T06:02:06.3833333+00:00 @MTG Yes I can confirm, after having installed the Updates on both ends its working like it should.
-
Zacharias Embaxter 60 Reputation points
2024-04-30T07:34:37.7+00:00 Hello,
back after a long long time. I've read the whole Thread and i can confirm after installing the latest Updates on all Machines it works like it should. I would say:
Case closed (till next update?! ;) ).
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
田中 瑛土 20 Reputation points2024-05-29T07:27:53.13+00:00 Hello,
Thank you for the excellent information.
It was very helpful since I was struggling with the same issue.
By the way, I have another problem.
When using Remote Credential Guard, I can't automatically sign into Edge with my EntraID account when I use RDP.
Do you have any information on this?
I can sign in without any problems when not using Remote Credential Guard. I look forward to any helpful information.
Thank you.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 51%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Chris 0 Reputation points2024-07-24T03:55:20.4666667+00:00 Does anyone else have intermittent issues with this still? This started working for us after the update and we have competed a roll out of Windows 11 Azure AD joined devices and we get intermittent issues when users are unable to access resources such as mapped network drives within the RDP session (Windows Server 2019). Signing out of the session and back in again fixes the issue but it can happen again seemingly randomly.
-
Chris 10 Reputation points
2024-10-04T18:59:05.5733333+00:00 This is broken again in Windows 11 24H2 feature update.
Microsoft pushing people towards Passwordless, but keep breaking crucial functionality to deliver this.
-
jaltmann 11 Reputation points
2024-10-04T19:01:27.3533333+00:00 I can second this. I have 24H2 on arm64 and have the same problem with RCG.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 65%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
dlocker 5 Reputation points2024-10-09T14:19:18.9433333+00:00 Another confirmation - 24H2 RCG hops an issue when targeting non-24H2 systems.
-
dlocker 5 Reputation points
2024-10-09T14:21:58.0133333+00:00 Lock screen + password as a workaround, but defeats the purpose of RCG in doing so
-
MTG 1,221 Reputation points
2024-10-10T11:12:45.7266667+00:00 FYI: I opened a pay-per-incident case with Microsoft about this 10 weeks ago. It took them several weeks to even acknowledge the problem, but now they are on it. Will let you know about their plans to patch it as soon as I have that info.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 64%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
David 0 Reputation points2024-10-28T13:22:45.1966667+00:00 Any news on this? The lockscreen + password workaround is OK for us admins and RDP sessions, but this bug is also affecting our RemoteApps which rely on network shares and printers.
-
MTG 1,221 Reputation points
2024-10-29T09:07:42.54+00:00 No news.
MS technical support is unable to reproduce the problem although any beginner can do this in 5 minutes. Sad but true. I shall send them a video file demonstrating it on a clean system - will do today.
-
Chris 10 Reputation points
2024-10-29T09:19:34.0066667+00:00 It's shocking that you've opened a paid support case and they can't be bothered to make the effort to reproduce the issue - which is easy to do. It's literally a couple of policies.
-
MTG 1,221 Reputation points
2024-10-29T09:26:12.1766667+00:00 Chris, it's not so shocking, I am afraid, it's rather, to use Microsoft speak, "expected behavior".
Last time (when the same bus occured on 22H2), it took them several months to confirm the bug and 12 months to roll out a patch. So as of today, my case is 3 or 4 months old - normally, I would not expect to see a fix before summer '25. Yesterday, they just asked me (after months) "how many users are affected" and "did you try setting the policies this way [describing the same way as described in my ticket]. It's outragous. Last time I contacted their managers to complain - not even a response.
Sign in to comment
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 55.00000000000001%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHL%3C/text%3E%3C/svg%3E)
Hania Lian 17,191 Reputation points Microsoft Vendor2023-05-31T09:02:51.6566667+00:00 -
MTG 1,221 Reputation points
2023-06-01T14:05:11.22+00:00 Almost the same here.
Win11 22h2 ->Win10 22H2 = same problem with share access.
Win10 22h2 ->Win11 22H2 = same problem.
Win11 22h2 ->Win11 22H2 = works!
Win10 22h2 ->Win10 22H2 = works!
Reproducible anywhere, even in a clean lab domain.
Credential guard is inactive, remote credential guard is active.
-
Zacharias Embaxter 60 Reputation points
2023-06-02T07:31:30.8933333+00:00 @Hania Lian : Thx for your reply. Because the article ist titled "Known Issues...", does this mean, it will be fixed in near future, it won't be fixed at all?
I asked because we don't have any Events within "Application and Services Logs\Microsoft\Windows\NTLM\Operational" which is mentioned in the linked article.
cu...
Z. Embaxter -
MTG 1,221 Reputation points
2024-03-27T09:15:07.0633333+00:00 Is it over, can we please call it "over"? :-)
Yesterday, the preview patches arrived and they work!Win10 22H2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5035941 Win11 23H2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5035942
-
Chris 10 Reputation points
2024-03-27T09:59:48.87+00:00 Still not working for me MTG, Windows 11 23H2.
To confirm, VBS is enabled on the environment I'm trying to access (Windows Server 2022) with required credential delegation. It works by IP, but DNS seems to be non-existent when authenticating with RCG.
I can resolve DNS of the resources in CMD and it shows with ticket in klist with hostname against it, but when trying to navigate/reach it fails with being unable to find (DNS error).
Can you share your environment/policies? This is what I have set.
-
MTG 1,221 Reputation points
2024-03-27T10:51:47.64+00:00 Still not perfect. I can confirm that I can:
Win11 23H2->Win Server 2019 & Win10 (and reverse)
but I can't use network resources on server 2022 when I rdp from Win11 23H2 -> Server 2022. There's no patch seen for server 2022, yet.
-
Chris 10 Reputation points
2024-03-27T11:18:12+00:00 Unfortunately not the same experience for me.
Windows 11 23H2 --> Server 2019, doesn't work by IP or DNS.
Windows 11 23H2 --> Server 2022, works by IP but not by DNS.
Windows 10 works flawlessly to all servers.
-
MTG 1,221 Reputation points
2024-03-28T14:40:48.1+00:00 Chris, whatever it was that made it work here for Win11 23H2->server 2019, it does not work right now. So what is fixed is limited to correct remote credential guard between (back and forth) win11<->win10, while RCG on servers is still broken. But: that is expected since it seems as though both ends need adjustments and the servers have not received updates addressing this, yet. I share this in my MS support case (which is still closed since these people show no need to respond to their customers in a timely fashion) and I expect server updates to follow next month.
As for the settings here in the test environment: all is vanilla (no settings apart from remote credential guard being activated).
-
Chris 10 Reputation points
2024-04-09T17:28:21.9466667+00:00 I'm pleased to confirm the latest April updates have fixed this issue.
-
Jonatan Kragh Hovgaard 1 Reputation point
2024-04-25T08:19:18.07+00:00 Yes, this did it for me:
...This update addresses an issue that affects a network resource. You cannot access it from a Remote Desktop session. This occurs when you turn on the Remote Credential Guard feature and the client is Windows 11, version 22H2 or higher...
April 9, 2024—KB5036896 (OS Build 17763.5696) - Microsoft Support
-
MTG 1,221 Reputation points
2024-07-30T11:42:25.35+00:00 Hooray (!?), the latest Win11 24H2 build resurrects the problem. I can't believe it. Running 26100.1297 here.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 89%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
Dave Smith 5 Reputation points2024-08-16T14:37:35.6466667+00:00 Yep, the problem is back. I'm on 26100.1301.
-
David 0 Reputation points
2024-10-09T12:19:47.5233333+00:00 Can confirm the bug is back, running 24H2 26100.2033 (October LCU).
Sign in to comment -