Share via

Remote Credential Guard poblem

Anonymous
2024-01-30T12:11:47+00:00

Hi,

I've set up the Remote Credential Guard.

It means I configured the GPO on the RDP host (Computer Configuration\Administrative Templates\System\Credentials Delegation Remote host allows delegation of nonexportable credentials ->Enable)

I configured the client with GPO: Computer Configuration\Administrative Templates\System\Credentials Delegation

Restrict delegation of credentials to remote servers ->Enabled and there I selected Require Remote Credential Guard

as it is documented in theis article: https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard?tabs=gpo It works fine!

BUT

When I change the client GPO setting to this: Restrict Credential Delegation

it is stop working.

My question is why??

Based on the above article both options are valid for the solution.

Windows for business | Windows Server | User experience | Remote desktop services and terminal services

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-01-31T02:28:13+00:00

    Hello   Gergely Szabó1,

    Thank you for posting in Microsoft Community forum.

    The reason why Remote Credential Guard stops working when you change the client GPO setting to "Restrict Credential Delegation" is that this setting restricts the delegation of user credentials to remote servers. This means that the client will not be able to delegate the user's credentials to the remote server, which is required for Remote Credential Guard to work.

    When you enable the "Require Remote Credential Guard" setting, it ensures that the client uses Remote Credential Guard to protect the user's credentials when they are being delegated to the remote server. However, if you enable the "Restrict Credential Delegation" setting, it overrides the "Require Remote Credential Guard" setting and prevents the client from delegating the user's credentials to the remote server.

    Therefore, to use Remote Credential Guard, you need to ensure that the "Restrict Credential Delegation" setting is not enabled on the client.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Haijian Shan

    0 comments
  2. Anonymous
    2024-01-31T08:46:31+00:00

    Hi Haijian Shan,

    Thank you for your quick response.

    I can accept your response, but if this is the case then the above MS article (https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard?tabs=gpo) must be corrected as it states:

    "Restrict credential delegation: Remote Desktop Client must use Restricted Admin or Remote Credential Guard to connect to remote hosts. In this configuration, Remote Credential Guard is preferred, but it uses Restricted Admin mode (if supported) when Remote Credential Guard can't be used"

    In my situation it would be the perfect settings for the clients, as they connect to some servers (e.g. terminal server) where they are not admins and this way they could have connect using remote credential guard (and SSO) and there are some development servers where they are local admins, and there they could have connect using restricted admin.

    Now I have to find out how to work around this problem.

    Best Regards.

    Gergely Szabó

    0 comments
  3. Anonymous
    2024-02-04T07:20:09+00:00

    Hello  Gergely Szabó1,

    Thank you for your reply.

    It is possible that there may be some other configuration issue or conflict that is causing Remote Credential Guard to stop working when the "Restrict Credential Delegation" setting is enabled on the client. Without more information about your specific setup, it is difficult to determine the exact cause of the issue.

    One possible workaround could be to create separate GPOs for the clients that connect to the terminal server and the development servers. You could then enable the "Require Remote Credential Guard" setting on the GPO for the terminal server clients and the "Restrict Credential Delegation" setting on the GPO for the development server clients.

    Alternatively, you could try using the "Allow delegating fresh credentials" setting instead of the "Restrict Credential Delegation" setting on the client GPO. This setting allows the client to delegate the user's credentials to the remote server, but only if they are fresh (i.e., the user has just entered them). This may provide the necessary security while still allowing Remote Credential Guard to function properly.

    Best Regards,

    Haijian Shan

    0 comments