How to Secure Remote Desktop with Remote Credential Guard in Windows 10

For most system administrators, Remote Desktop is one of the most used features in Windows. As good as it is, every time you select the “Make sure that you trust this PC” option, you are taking a risk of compromising your machine by revealing your remote desktop credentials. This is particularly true if the remote system is unknown to you or if it is infected in some way.

To eliminate this, Microsoft introduced the Remote Credential Guard feature. When you enable this feature, Windows can protect your credentials by properly redirecting the Kerberos requests back to the system that is requesting it. Here is how you can easily enable the Remote Credential Guard feature to secure the remote desktop in Windows 10.

Using the Windows Group Policy Editor to enable remote credential guard is one of the easiest ways. To start, search for gpedit.msc and press the Enter button.

windows10-remote-desktop-open-group-policy-editor

The above action will open the Windows Group Policy Editor. Here, navigate to the location “Computer Configuration -> Administrative Templates -> System -> Credentials Delegation” in the left pane.

windows10-remote-desktop-open-policy-folder

Find the policy “Restrict delegation of credentials to remote servers” and double-click on it.

windows10-remote-desktop-open-policy-settings

As soon as you double-click on the policy, the policy settings window will open. Here, select the radio button “Enabled.” This action will enable new options in the Options field. Select the option “Require Remote Credential Guard” from the drop-down menu, and then click on the “OK” button to save the changes.

windows10-remote-desktop-set-policy-settings

Once you are done, this is how it looks in the Group Policy Editor.

windows10-remote-desktop-changed-policy-setting

Just restart your system, and the settings will take effect. If you don’t want to restart, just open the Command Prompt as admin and then execute the below command to force update the group policy settings.

GPUpdate.exe /force

If you’d rather use Windows Registry Editor, then you can do that same thing by simply adding a new value. To do that, press “Win + R,” type regedit and press the Enter button.

windows10-remote-desktop-regedit-run-command

The above action will open the Windows Registry Editor. Here, navigate to the following location on the left panel.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

windows10-remote-desktop-navigate-to-reg-key

Once you are here, right-click on the right panel and then select then option “New -> DWORD (32-bit) Value.”

windows10-remote-desktop-selete-dword

This action will create a new DWORD value. Name the new value as “DisableRestrictedAdmin” and press the enter button.

windows10-remote-desktop-rename-dword-value

Now, double-click on the new value to open the Edit Value window. Make sure that the value data is set to “0,” and then click on the “OK” button to save the changes.

windows10-remote-desktop-enter-value-data

Just restart the system to make the changes take effect.

Rather than completely enabling the Remote Credential Guard, you can also enable the feature on a case-by-case basis using the Command Prompt.

To do that open the Command Prompt, and then use the below command to start a new Remote Desktop connection. As you can see, the parameter /remoteGaurd will enable the Remote Credential Guard for that connection.

mstsc.exe /remoteGuard

windows10-remote-desktop-execute-command

Do comment below sharing your thoughts and experiences about using the above methods to enable Remote Credential Guard feature in Windows.

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.