The Remote credential guard feature has been included in Windows 10 and Windows Server 2016 as a means to protect your credentials over a remotely connected desktop. This is done by redirecting Kerberos requests back to the device which is trying to establish the remote connection. Administrator credentials enjoy supreme privilege rights and are thus protected by Windows Defender Remote Credential Guard. The function of the Credential guard is to preserve the integrity of both credentials and credential derivatives even in situations of attack. These are never passed to the target device even if there is any virus attack.

Suppose you own a firm or an organization, where your help desk employees often need to connect to domain joined devices. During such connections, the domain joined devices might become vulnerable to malicious software threats. But, with Windows Defender Remote Credential Guard, an employee can use RDP to connect to the intended device without ruining the credentials.

Hardware and software requirements of Remote Credentials:

There are several hardware and software requirements of Remote Credentials which leverage uninterrupted functioning of the remote Credential Guard.

  1. The Remote Desktop Client and Remote Desktop server must be joined to an Active Directory domain.
  2. Kerberos Authentication should be turned on.
  3. The Remote Desktop client must be running Windows 10 version 1607 or later and/or Windows Server 2016.
  4. Both the target and source devices must either connected over the same domain, or the Remote Desktop server must be connected to a domain with a trusted connection with the client.
  5. The Remote Desktop Universal Windows classic app is supported by the Credential Guard. So, do not use the UWP app.
  6. The Remote Desktop remote host must allow restricted administrator connection, and also the client’s domain user in order to access Remote Desktop Connections.
  7. The remote host should allow delegation of non-exportable credentials.
  8. The Remote desktop client device must deploy Kerberos authentication to connect to the remote host.
  9.  If the client fails to establish a connection to a domain controller, then RDP attempts to fall back to NTLM. The Remote Credential Guard refrains NTLM from fallback because this would expose credentials to risk.

That’s a brief about Windows Defender Remote Credential Guard for Windows 10 and Windows Server 2016.


Happiness is that best therapy. Use it to heal yourself and then others!


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.