Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,245 questions
Hi.
Please refer to this article:
Hope the information is helpful.
Windows 11 22H2 - Remote Credential Guard (RCG) hop (SMB) not working.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 37%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZE%3C/text%3E%3C/svg%3E)
Zacharias Embaxter
35
Reputation points
Hello,
apparently the "double-hop" problem (https://learn.microsoft.com/en-us/answers/questions/744867/remote-credential-guard-double-hop-issue-after-ser) when using Remote Credential Guard (RCG) on a Windows 11 22H2 (Build 22621.1702) endpoint is present again. I.e. after connecting via mstsc /remoteGuard to a Windows 11 PC it is not possible to access network drives. A login dialog appears with the error message "No connection to a domain controller could be established to handle the authentication request."
Win11 configuration (target system):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
"DisableRestrictedAdmin"=dword:00000000
(https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard)
Configuration Win10/Win11 (source system):
Encryption Oracle Remediation - Force: Updated Clients
Remote host allows delegation of non-exportable credentials - Active
Restrict delegation of credentials to remote servers - Active (Require Remote Credential Guard)
The only thing that currently helps is to lock the computer 1x and log in again. After that the connection to network drives etc. works.
The problem does not exist between Windows 10 systems with the same GPO settings. There everything works as it should (even with activated Credential Guard).
Any help would appreciated. Thx.
cu..
Z. Embaxter
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 6%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Stewart Myles 1 Reputation point2023-10-12T21:56:40.55+00:00 Did you manage to find a solution? Our Windows 10 units are working ok but the Windows 11 have no mapped drives
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
MTG 1,196 Reputation points2023-10-13T08:24:00.5133333+00:00 Believe it or not, as of yesterday, there is hope.
MS support contacted me about my support request and said that it's a confirmed bug and that they will resolve it (planned) with the december 2023 cumulative update, possibly already with the preview update (late november 23).
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 33%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Jonatan Kragh Hovgaard 1 Reputation point2023-11-22T14:21:57.9333333+00:00 I have the exact same problem. I have been struggling with this for the last couple of weeks. Happy so realize that I am not completely alone with this problem. Do you have a bug ID or similar so that I can track the progress with Microsoft myself?
-
MTG 1,196 Reputation points
2023-11-22T14:56:28.4433333+00:00 No bug ID that is public, no. I expect MS to serve an update for this next week. Will let you know as soon as I tested it (and I will, as soon as it is released).
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 31%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
David Tapuchi 0 Reputation points2023-11-22T18:20:54.2266667+00:00 I have this issue connecting from Windows 11 to Server 2022. Do you have any more details on the planned fix?
Which OS will be patched? -
MTG 1,196 Reputation points
2023-11-23T08:54:19.3633333+00:00 No details. Just that it will be the optional update next week. I told them that all OS' (and all server OS') are affected, so they know about server 2022 and will rectify that.
-
David Tapuchi 0 Reputation points
2023-11-23T21:51:48.4966667+00:00 Never mind, I tested this on some Windows 11 machines and discovered that the Remote Credential Guard GPO works as "All or Nothing"
If it's enabled, I can only initiate RDP connections using my current credentials. No idea why they did not add an option to force it only for specific hosts (similar to the delegation policy) or add a fallback.
So Credential Guard is out for my environment.
-
MTG 1,196 Reputation points
2023-11-24T08:47:17.6566667+00:00 David, you may use alternate Credentials. Simply start mstsc.exe as using runas or scripted with psexec as other user. That's what we do here.
-
MTG 1,196 Reputation points
2023-11-24T08:49:02.3133333+00:00 David, what we do in this situation: start mstsc.exe as other user. The credentials of that user are passed on, then. Use runas or psexec (or context menu [shift right-click] : run as different user)
-
David Tapuchi 0 Reputation points
2023-11-29T16:30:00.42+00:00 Thanks, interesting solution. Why do you need to use runas, once you open mstsc as "other user"?
-
MTG 1,196 Reputation points
2023-11-30T08:10:46.2833333+00:00 That's a misunderstanding. I was telling you how to run mstsc as other user - either interactive using right-click or scripted (batch) using psexec :-)
-
MTG 1,196 Reputation points
2023-12-05T08:54:38.6833333+00:00 The preview update for Win11 23H2 came in yesterday. NOT FIXED.
I contacted the MS support people and asked to what date the fix was delayed to. Will let you know what they answered.
-
MTG 1,196 Reputation points
2023-12-13T05:30:46.9466667+00:00 They haven't answered yet. That's support!
The december CU doesn't contain the fix, either. I hope the december D week will contain it. XMas present.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 65%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
jaltmann 6 Reputation points2024-01-10T20:35:34.9166667+00:00 I can confirm we are also having issues with Windows 10/11 beyond version 21H2 having the issue. When support for 21H2 expires in Jun 2024, this is going to reduce the security posture of organizations that rely on RCG in helping to limit lateral movement as there doesn't appear to be any work around other than removing the ability to utilize RCG. This is a BIG issue that needs attention.
-
Jonatan Kragh Hovgaard 1 Reputation point
2024-01-16T08:37:00.8833333+00:00 Has anyone managed to find a workaround for this issue? I am seeing this problem at several customers, but I also have a customer where we haven't seen the problem yet. @MTG do you have a MSFT bug ID? I am planning to raise another ticket with MSFT. It would be really helpful to have a bug ID for referral.
-
MTG 1,196 Reputation points
2024-01-16T08:41:34.84+00:00 Hi Jonatan. I have a tracking ID for my yet unresolved issue, yes. It's #2307060030003531 Since the ticket was closed and a patch was promised (which did not arrive, yet) I reopened it just yesterday and will be on the phone with their support today or tomorrow and will let you know when they plan to finally deliver the promised update.
-
MTG 1,196 Reputation points
2024-01-19T09:45:38.43+00:00 Spoke to support. They are not able to tell if the fix was already delivered or not (!?) and will need to investigate. Told them that if it was delivered, it doesn't work. They made out the next telephone call for the 25th of Jan.
-
Jonatan Kragh Hovgaard 1 Reputation point
2024-01-24T17:06:18.4933333+00:00 Thanks. I am really looking forward to hear what Microsoft can tell you tomorrow. I have 4-5 installations that used to work with Windows 10, but now prompts for credentials when the users attempt to access network drives via RDS. I really cannot understand why this hasn't received more attention by Microsoft yet. They are pushing "Passwordless" as a strategy, but at same time they break it down on RDS.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 79%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Chris 5 Reputation points2024-01-25T20:59:58.3633333+00:00 How did your meeting go MTG? We’re in the midst of evaluating Windows Hello for Business for our Windows 11 clients, and this is stopping us in our tracks. Interested to hear how you got on. :) Thanks, Chris
-
MTG 1,196 Reputation points
2024-01-26T08:26:49.05+00:00 Support told me that the fix was postponed (no reason given). Its release is expected in the last week of march 24 as optional update (will of course be part of the regular CU of April as well). Waiting...waiting...waiting.
-
Chris 5 Reputation points
2024-01-31T22:45:08.13+00:00 This reminds me of the AOVPN issue where Microsoft didn’t fix it for nearly two years after launch, but it still worked perfectly on Windows 10. Very disappointing that Microsoft are pushing orgs to Windows 11 and Passwordless, yet features work better on previous versions.
-
Chris 5 Reputation points
2024-02-16T12:58:29+00:00 FYI for anyone wondering, not fixed in February CU Release Preview (KB5034848). Fingers crossed for March CU Release Preview. Please don't let us down Microsoft...
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 88%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
JayL 0 Reputation points2024-03-06T19:43:27.2766667+00:00 Just tried to implement RCG and run into the same issue. Hopefully MS can fix it soon.
-
Chris 5 Reputation points
2024-03-21T18:53:00.6933333+00:00 Latest Windows 11 Release Preview build (KB5035942) which just released seems to have fixed it for us. Fingers crossed it makes its way to the GA channel next month.
-
Chris 5 Reputation points
2024-03-21T21:35:56.17+00:00 Scrap what I said above, it looks like there is another issue now.
Whilst you can authenticate against resources (such as file shares) within RDP successfully, you have to do it by IP address. Attempting to do it by FQDN/hostname results in failure about not being able to find the resource.
DNS works fine on the server, can ping resources. Klist shows tickets issued against the hostnames/fqdn, at a loss as to why it's not working.
Hopefully someone else can chime in.
-
MTG 1,196 Reputation points
2024-03-22T06:40:04.4333333+00:00 Doesn't work here, either! I will reopen the case and tell them a word or two, now, you can believe me.
-
MTG 1,196 Reputation points
2024-03-22T06:41:43.5533333+00:00 doublepost due to refresh problems of this great site
-
Chris 5 Reputation points
2024-03-22T18:44:51.4033333+00:00 Let us know how you get on MTG, it's depressing how long this is taking to remediate.
Is your issue the same as mine where DNS just fails completely for accessing anything with RCG? Kerberos tickets are generated (including hostname!) and can access by IP.
DNS works from CMD, just doesn't work with anything using the RCG auth context - making it basically useless still.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 25%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Matthias Holzner 0 Reputation points2024-04-11T12:19:49.35+00:00 Update 11.April.2024: For me, the April Updates didn't solve the issue. Same for you?
-
MTG 1,196 Reputation points
2024-04-11T12:21:54.6466667+00:00 Matthias, did you install the updates on "both ends"? There were updates needed for all servers and all client OS'. It works here.
-
Matthias Holzner 0 Reputation points
2024-04-12T06:02:06.3833333+00:00 @MTG Yes I can confirm, after having installed the Updates on both ends its working like it should.
Sign in to comment
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 55.00000000000001%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHL%3C/text%3E%3C/svg%3E)
Hania Lian 7,871 Reputation points Microsoft Vendor2023-05-31T09:02:51.6566667+00:00 -
MTG 1,196 Reputation points
2023-06-01T14:05:11.22+00:00 Almost the same here.
Win11 22h2 ->Win10 22H2 = same problem with share access.
Win10 22h2 ->Win11 22H2 = same problem.
Win11 22h2 ->Win11 22H2 = works!
Win10 22h2 ->Win10 22H2 = works!
Reproducible anywhere, even in a clean lab domain.
Credential guard is inactive, remote credential guard is active.
-
Zacharias Embaxter 35 Reputation points
2023-06-02T07:31:30.8933333+00:00 @Hania Lian : Thx for your reply. Because the article ist titled "Known Issues...", does this mean, it will be fixed in near future, it won't be fixed at all?
I asked because we don't have any Events within "Application and Services Logs\Microsoft\Windows\NTLM\Operational" which is mentioned in the linked article.
cu...
Z. Embaxter -
MTG 1,196 Reputation points
2024-03-27T09:15:07.0633333+00:00 Is it over, can we please call it "over"? :-)
Yesterday, the preview patches arrived and they work!Win10 22H2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5035941 Win11 23H2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5035942
-
Chris 5 Reputation points
2024-03-27T09:59:48.87+00:00 Still not working for me MTG, Windows 11 23H2.
To confirm, VBS is enabled on the environment I'm trying to access (Windows Server 2022) with required credential delegation. It works by IP, but DNS seems to be non-existent when authenticating with RCG.
I can resolve DNS of the resources in CMD and it shows with ticket in klist with hostname against it, but when trying to navigate/reach it fails with being unable to find (DNS error).
Can you share your environment/policies? This is what I have set.
-
MTG 1,196 Reputation points
2024-03-27T10:51:47.64+00:00 Still not perfect. I can confirm that I can:
Win11 23H2->Win Server 2019 & Win10 (and reverse)
but I can't use network resources on server 2022 when I rdp from Win11 23H2 -> Server 2022. There's no patch seen for server 2022, yet.
-
Chris 5 Reputation points
2024-03-27T11:18:12+00:00 Unfortunately not the same experience for me.
Windows 11 23H2 --> Server 2019, doesn't work by IP or DNS.
Windows 11 23H2 --> Server 2022, works by IP but not by DNS.
Windows 10 works flawlessly to all servers.
-
MTG 1,196 Reputation points
2024-03-28T14:40:48.1+00:00 Chris, whatever it was that made it work here for Win11 23H2->server 2019, it does not work right now. So what is fixed is limited to correct remote credential guard between (back and forth) win11<->win10, while RCG on servers is still broken. But: that is expected since it seems as though both ends need adjustments and the servers have not received updates addressing this, yet. I share this in my MS support case (which is still closed since these people show no need to respond to their customers in a timely fashion) and I expect server updates to follow next month.
As for the settings here in the test environment: all is vanilla (no settings apart from remote credential guard being activated).
-
Chris 5 Reputation points
2024-04-09T17:28:21.9466667+00:00 I'm pleased to confirm the latest April updates have fixed this issue.
-
Jonatan Kragh Hovgaard 1 Reputation point
2024-04-25T08:19:18.07+00:00 Yes, this did it for me:
...This update addresses an issue that affects a network resource. You cannot access it from a Remote Desktop session. This occurs when you turn on the Remote Credential Guard feature and the client is Windows 11, version 22H2 or higher...
April 9, 2024—KB5036896 (OS Build 17763.5696) - Microsoft Support
Sign in to comment -