In this post, we will see how the Remote Credential Guard feature, which has been introduced in Windows 10, can help protect remote desktop credentials in Windows 11/10 Enterprise and Windows Server.

Remote Credential Guard in Windows 11/10

The feature is designed to eliminate threats before it develops into a serious situation. It helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that’s requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. In the event of any misfortune where the target device is compromised, credentials of the user are not exposed because both credential and credential derivatives are never sent to the target device.

The modus operandi of Remote Credential Guard is very similar to the protection offered by Credential Guard on a local machine except for Credential Guard also protects stored domain credentials via the Credential Manager. An individual can use Remote Credential Guard in the following ways-

Hardware and software requirements

To enable smooth functioning of the Remote Credential Guard, ensure the following requirements of Remote Desktop client and server are met.

Enable Remote Credential Guard via Registry

To enable Remote Credential Guard on the target device, open Registry Editor and go to the following key: Add a new DWORD value named DisableRestrictedAdmin. Set the value of this registry setting to 0 to turn on Remote Credential Guard. Close the Registry Editor. You can enable Remote Credential Guard by running the following command from an elevated CMD:

Turn on Remote Credential Guard by using Group Policy

It is possible to use Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection. From the Group Policy Management Console, navigate to Computer Configuration > Administrative Templates > System > Credentials Delegation. Now, double-click Restrict delegation of credentials to remote servers to open its Properties box. Now in the Use the following restricted mode box, choose Require Remote Credential Guard. The other option Restricted Admin mode is also present. Its significance is that when Remote Credential Guard cannot be used, it will use Restricted Admin mode. In any case, neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. Allow Remote Credential Guard, by choosing ‘Prefer Remote Credential Guard’ option. Click OK and exit the Group Policy Management Console.

Now, from a command prompt, run gpupdate.exe /force to ensure that the Group Policy object is applied.

Use Remote Credential Guard with a parameter to Remote Desktop Connection

If you don’t use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection. Things you should keep in mind when using Remote Credential Guard You can read more on this at Technet.