Share via

RDP and Credential Guatd issue

SA 1 Reputation point
2021-01-08T01:23:32.753+00:00

Hi, one of our users is having an issue with RDP and Credential Guard....I made sure it is disabled and followed all the steps I've found in numerous sites (registry, GPO, etc.). I even check MS Intune and it seems disabled there.
https://www.tenforums.com/tutorials/68935-enable-disable-credential-guard-windows-10-a.html

See screenshot of the error....any ideas? It is a RDP file to a remoteapp from local to Azure VM (RDS server)...

54613-cred.jpg

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-01-08T06:31:25.623+00:00

    Hi,

    Please try following policy configuration.

    1. Open the Local Group Policy Editor by pressing Win + R -> gpedit.msc;
    2. In the GPO editor, go to Computer Configuration –> Administrative Templates –> System –> Credentials Delegation. Find the policy named Allow delegating saved credentials with NTLM-only server authentication;
    3. Enable the policy and click on ‘Show’ button in the options window below and enter the value
      TERMSRV/*’ (without quotes) into the list. Apply the changes.
    4. Do the same thing for the following policies:
      Allow Delegating Saved Credentials
      Allow Delegating Default Credentials with NTLM-only Server Authentication
      Allow Delegating Default Credentials
    5. Make sure that ‘Deny Delegating Saved Credentials’ is not enabled or does not contain ‘TERMSRV/*’ in the list
    6. Close all windows, open a command prompt, and use ‘gpupdate /force’ command to apply the policy directly.

    Also, open your RDP file to ensure the value "prompt for credentials" parameter is 0 (prompt for credentials:i:0).
    54772-image.png

    Thanks,
    Eleven

    If the answer is helpful, please click "Accept Answer" and up-vote it.

    0 comments
  2. reditguy 1 Reputation point
    2021-01-15T02:10:51.447+00:00

    Hi, the above didn't work (I can't login with the account I posted with for some reason)...I am the person who asked the question. Any other suggestions?

  3. reditguy 1 Reputation point
    2021-01-15T03:41:47.217+00:00

    Hi, we did but no luck

  4. Chris Dymond 1 Reputation point
    2021-02-24T03:40:21.817+00:00

    Hi @reditguy , did you end up logging a case for this one?

    I have the same issue. In my case I have baseline security settings with Credential Guard disabled. Then when you view the 'per-setting' status (for the same policy) it lists 'Turn on Credential Guard' and the number of devices affected.

    -Update-

    Ok it's not broken, its as intended. The devices originally received a UEFI Lock policy with Credential Guard enabled. This can only be turned off manually on the machine. Nothing you do in Intune will change it (No UEFI Lock, Disabled etc). You can change it for future devices but current ones need this:

    Registry key removal and bcdedit cmds as outlined:
    https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.