Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, January 8, 2018 4:23 PM
Hello,
testing credential guard and remote credential guard.
system #1: Windows 10 enterprise, Uefi, secure boot, etc all enabled, credential guard running and verified with msinfo32, lsaiso.exe running
system #2: Windows 10 enterprise as a VM in system #1. Again, Uefi, secure boot, etc is all enabled, credential guard running and verified, like above.
so now we try to use remote credential guard. on system #1 we start
mstsc /remoteguard
and try to connect to system #2 via hostname.
we get the message "Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced."
the account in question is a fresh account created for testing purposes. it has a normal password, there are no sign-in times, so the only thing left is a policy restriction. but which one? there are some policies in place in this domain to secure domain admins etc, but nothing specific to this account or these machines. how can we debug this and find out whats wrong?
edit: also tried this between two physical machines. same error. not a vm problem.
All replies (3)
Tuesday, January 9, 2018 9:42 AM âś…Answered | 2 votes
alright, figured it out. the documentation at
https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard
confused me. section "Enable Windows Defender Remote Credential Guard" mentions to add a registry key to enable RCG. but one line below it says "Beginning with Windows 10 version 1703, you can enable Windows Defender Remote Credential Guard on the client device either by using Group Policy or by using a parameter with the Remote Desktop Connection"
so i wrongly assumed one can enable RCG via the GPO setting - my mistake. i have made the registry setting now, and RCG works. question answered.
but during my debugging i found a policy setting that is unclear to me.
the description says, RCG will only work when this policy setting is configured. however in my tests, the policy has zero effect, no matter what i set here. can someone explain this to me?
Sunday, February 11, 2018 8:13 PM
Thanks that helped, was getting the same error and needed the reg key to enable it.
This too confused me, the https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard but now perhaps I think I have got it.
To enable Windows Defender Remote Credential Guard you need to set the reg key. ( full stop as that section ends)
New section: Using Windows Defender Remote Credential Guard (client device), if I set the GPO setting on the 1709 client to require Remote Credential Guard, the client connecting, mstsc, must user Remote Credential Guard. If I run mstsc it will not prompt for a username and password on connect, it shows me on the connection screen my username it will use.
Maybe that's it :)
Monday, July 22, 2019 5:15 AM
pls any idea what mean this setting ? I try it setting, but clients with /restrcitadmin not work. Still needed add registry keys ?
Falcon