Remote Credential Guard protects remote desktop identification information under Windows 10



RECOMMENDED: Click here to fix Windows errors and optimize system performance

You can do this by setting a group policy or using a setting with Remote Desktop Connection.

From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > System > Delegating Receipts.

Double-click Delegate credentials to remote servers to open the Properties field.

Now select in field Use the following restricted mode and select Require Remote Credential Guard. The other option Limited administrator mode is also available. If the Remote Credential Guard cannot be used, it will use the restricted administrator mode.

In all cases, neither the Remote Credential Guard nor the Restricted Admin mode sends plain text credentials to the Remote Desktop Server.

Allow remote accreditation custody by selecting ‘ Prefer Remote Credential Guard ‘.

Click OK and exit the Group Policy Management Console.

Now run gpupdate.exe /force from a command prompt to ensure that the group policy object is applied.

Use Remote Credential Guard with a Remote Desktop Connection

If you are not using group policy in your organization, you can add the remoteGuard setting when you start the Remote Desktop connection to enable Remote Credential Guard for that connection.

mstsc.exe /remoteGuard

What to consider when using Remote Credential Guard

  1. Remote Credential Guard cannot be used to connect to a device connected to Azure Active Directory.
  2. Remote Desktop Credential Guard works only with RDP protocol.
  3. The Remote Credential Guard does not cover device claims. For example, if you attempt to access a file server from the remote station and the file server requires a device claim, access is denied.
  4. The server and the client must authenticate with Kerberos.
  5. The domains must have a trust relationship, or the client and server must be connected to the same domain.
  6. Remote Desktop Gateway is not compatible with Remote Credential Guard.
  7. No identification information will be transmitted to the target device. However, the target aircraft continues to purchase Kerberos service tickets itself.
  8. Finally, you must use the identification information of the user who is connected to the device. The use of stored or different access data is not permitted.

Learn more about Technet.



RECOMMENDED: Click here to troubleshoot Windows errors and optimize system performance