Windows Defender Remote Credential Guard - SSO on client machine not remote host not working when credential guard on remote client is active

Peter 6 Reputation points
2021-02-22T11:29:43.14+00:00

Surface 4 Pro Client (machine A) can connect via mstsc /remoteguard to (machine B) without entering passwords (SSO).

Inside of machine the file shares of Machine C should be accessed:

  1. Secure Boot disabled (meaning Credential Guard disabled) on machine A --> Successfully SSO connect via mstsc /remoteguard to (machine B) and inside machine B successfully opening of file shares.
  2. Secure Boot enabled (meaning Credential Guard enabled) on machine A --> Successfully SSO connect via mstsc /remoteguard to (machine B) BUT inside machine B error messages opening of file shares. "No domain controller found" (misleading) error message.

Any helpful ideas or troubleshooting steps out there?

I'm collecting experiences for an greater rollout here.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,807 questions
{count} votes

6 answers

Sort by: Most helpful
  1. Sunny Qi 10,916 Reputation points Microsoft Vendor
    2021-02-23T08:02:53.8+00:00

    Hi,

    Thanks for posting in Q&A platform.

    Before we go further, could you please help to describe and provide more details about your environment?

    Is there any related error message or event log on DC or server? If yes, please help provide for further troubleshooting.

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Peter 6 Reputation points
    2021-02-26T12:35:45.893+00:00

    Hi Sunny,

    I described as much needed to make the environment as simple as possible to avoid wrong directions.

    So I would need a starting point for troubleshooting or at least a known bug report, because "Connect to other systems using SSO" isn't working in "Windows Defender Remote Credential Guard" in combination with "Device Guard enabled".

    SSO works, when "Device Guard" = disabled.
    SSO doesn't work, when "Device Guard" = enabled.

    https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard

    It is documented in this picture:

    72522-image.png


  3. Bergen, Andreas 11 Reputation points
    2021-03-29T06:25:55.797+00:00

    Hello everybody,

    we have the same issue and I just tested it and can confirm that disabling "credential guard" makes "remote credential guard" work again.
    I know that both features used to work together but stopped working some day in 2020. Maybe there was a Windows update in 2020 which broke things?
    Any help is greatly appreciated.

    Best regards
    Andreas


  4. Peter 6 Reputation points
    2021-04-09T10:39:21.733+00:00

    @Sunny Qi : Did you found already something?

    There was a third one reporting the same issue in January 2019:

    https://github.com/MicrosoftDocs/windows-itpro-docs/issues/2483

    0 comments No comments

  5. Peter 6 Reputation points
    2021-05-06T12:48:31.75+00:00

    94491-image.png

    Hi together, one important thing to know is, maybe, that we use the current "Microsoft Security Baseline":

    "MSFT Windows 10 20H2 and Server 20H2 Member Server - Credential Guard"

    0 comments No comments