With remote credential guard active, there are authentication problems with Win11

Question

To participate, you should be familiar with "remote credential guard".

Situation:

DCs: Server 2016 1607 (same in the test domain with Server 2022)

Clients: Win10 22H2, however we are starting to add Win11 22H2 to this mix.

RDPing from Win10 to Win10, there are no problems, neither from Win11 to Win11.

However, from Win11 (22H2, NOT with 22H1!) to Win10 or the other way round, we see the following problem:

As soon as we activate remote credential guard, we have to re-authenticate whenever we try to access file shares from within a remote session.

We see the same problem when we use RDP from Win11 to Server 2019.

If we use \\ipaddress\sharename to access the share instead of the name, we don't have to re-authenticate.

I can reproduce this problem anywhere, even on clean installations with no software or GPOs on them.

Please note: this has nothing to do with https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-known-issues which people get pointed to (see https://learn.microsoft.com/en-us/answers/questions/1294080/windows-11-22h2-remote-credential-guard-(rcg)-hop ) as this ain't windows defender credential guard (inactive here) but remote credential guard!

Answer 1

Hello MTG,

Thank you for your question and for reaching out with your question today.

One possible theory in some cases, it's possible that other connections made to servers on the same domain would cache information on the client that would then get reused for the RCG connection, but there is no way to tell for sure if that's the case. But it may point you in an investigative direction.

If the reply was helpful, please don’t forget to upvote or accept as answer.

Best regards.