From f639960d8fe106dcf5e322c3784fb16465ca7a9b Mon Sep 17 00:00:00 2001 From: Martin Date: Mon, 13 Feb 2023 22:26:13 +0100 Subject: [PATCH 1/2] Clarification on GPO effect on restrictedAdmin My testing shows that Restricted Admin mode cannot be enforced with "mstsc.exe /remoteAdmin" when "Restrict Credential Delegation" is enabled. I had previously assumed this but it seems not to be the case. A clarification would be useful for others. --- windows/security/identity-protection/remote-credential-guard.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index eb1922b3a8..713651da1e 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -156,6 +156,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C > [!NOTE] > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. + > When **Restrict Credential Delegation** is enabled the /restrictedAdmin switch has no effect; consequently, Windows Defender Remote Credential Guard will be preferred. - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. From 25cf9c63e199afe5368355885e9332bfb64772df Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 13 Feb 2023 18:07:41 -0500 Subject: [PATCH 2/2] Update windows/security/identity-protection/remote-credential-guard.md Co-authored-by: mapalko <20977663+mapalko@users.noreply.github.com> --- windows/security/identity-protection/remote-credential-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 713651da1e..2876ab9e18 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -156,7 +156,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C > [!NOTE] > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. - > When **Restrict Credential Delegation** is enabled the /restrictedAdmin switch has no effect; consequently, Windows Defender Remote Credential Guard will be preferred. + > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard. - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.