From f639960d8fe106dcf5e322c3784fb16465ca7a9b Mon Sep 17 00:00:00 2001 From: Martin Date: Mon, 13 Feb 2023 22:26:13 +0100 Subject: [PATCH] Clarification on GPO effect on restrictedAdmin My testing shows that Restricted Admin mode cannot be enforced with "mstsc.exe /remoteAdmin" when "Restrict Credential Delegation" is enabled. I had previously assumed this but it seems not to be the case. A clarification would be useful for others. --- windows/security/identity-protection/remote-credential-guard.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index eb1922b3a8..713651da1e 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -156,6 +156,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C > [!NOTE] > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. + > When **Restrict Credential Delegation** is enabled the /restrictedAdmin switch has no effect; consequently, Windows Defender Remote Credential Guard will be preferred. - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.