This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 8%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
Working with a Client at the moment who have added the above security setting and recently added some 2016 machines. The GPO setting is using option 3 in this list however when attempting to initiate a connection using MSTSC I receive a CredSSP encryption Oracle remediation error message.
Restrict Credential Delegation
Registry Hive
HKEY_LOCAL_MACHINE
Registry Path
Software\Policies\Microsoft\Windows\CredentialsDelegation
Value Name
RestrictedRemoteAdministrationType
Value Type
REG_DWORD
Value
3
Require Remote Credential Guard
Registry Hive
HKEY_LOCAL_MACHINE
Registry Path
Software\Policies\Microsoft\Windows\CredentialsDelegation
Value Name
RestrictedRemoteAdministrationType
Value Type
REG_DWORD
Value
2
Require Restricted Admin
Registry Hive
HKEY_LOCAL_MACHINE
Registry Path
Software\Policies\Microsoft\Windows\CredentialsDelegation
Value Name
RestrictedRemoteAdministrationType
Value Type
REG_DWORD
Value
1
I have added the registry key to the destination and host :
DWORD = DisableRestrictedAdmin but cannot connect due to the CredSSH error, on a 2016 machine I can change the sub setting in PreProd to 'Require Restricted Admin' and the connection completes however in production this setting is set by GPO that I do not have access to see or change so was wondering if there are any other Admin's out there that are having this issue and if there is a resolution that does not reduce the security.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
Related GPO references are as follows;
Best Regards,
Vicky
Hi,
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
Best Regards,
Vicky
Hi Vicky
Unfortunately no we are looking into this further, it seems to stem from the Different OS levels and how the options are configured in the registry keys. I am going to be working with the AD team and GPO owners in an effort to understand what setting they can use to allow a secure options to this.
Thanks
Darren
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 72%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDF%3C/text%3E%3C/svg%3E)
I recently came across the same issue. Were you able to get it figured out? For me, I was using IP, but it required FQDN once Credential Guard is enabled.
Hi,
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
Best Regards,
