RDS (Remote Desktop Services) and Protect Remote Desktop credentials with Windows Defender Remote Credential Guard?

_KUL 286

We use SSO Protect Remote Desktop credentials with Windows Defender Remote Credential Guard on "Windows Server 2016" and "Windows Server 2019" servers. There are no problems. We have many users with "Windows Hello for Business + Key Trust" technology and there is an RDS farm (Broker + TS's) on "Windows Server 2016". We have configured the registry on all servers of the RDS farm. But use the connection "mstsc.exe /remoteGuard" fails.

All the latest updates are installed on the servers, and the check was performed through the Microsoft servers.
WindowsProductName : Windows Server 2016 Standard
WindowsCurrentVersion : 6.3
OsVersion : 10.0.14393
OsBuildNumber : 14393

Using the command mstsc.exe /remoteGuard:
An error occurs when trying to connect to a shared name - "An authentication error has occured. \r\n The function requested is not supported \r\n Remote computer: xxx \r\n This could be due to CredSSP encryption oracle remediation."
When trying to connect directly to the TS server, RDP opens, the session starts, and an error occurs inside the RDP screen - "The requested session access is denied." But if add a user to the Administrators group, everything works - but it's not right! On the server, an entry is recorded in the event log - "Session 5 has been disconnected, reason code 12".

Questions:

Will it work - "RDS and Protect Remote Desktop credentials with Windows Defender Remote Credential Guard" ?
What update should I install for Windows Server 2016 to fix the problem with Administrators / Remote Desktop Users groups (perhaps some update is missing) ?

5 answers

Leila Kong 3,691 Reputation points

2021-04-29T08:10:55.893+00:00

Hello @_KUL ,

How is everything going on your side?

It is from our internal document that:
Update October 2018 : Dev team has modified documentation to state that /remoteguard can only be used by administrators :

Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection
If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.

mstsc.exe /remoteGuard
Note
The user must be part of administrators group.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Leila Kong 3,691 Reputation points

2021-04-06T09:18:15.153+00:00

Hello KUL,

Please try to use the group policy settings to roll back the changes to ‘Vulnerable’ state to allow RDP access.

1.type "gpedit.msc" in search bar and open Group Policy Editor, navigate to Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Encryption Oracle Remediation, then select Enabled and change Production Level to Vulnerable, finally run the command gpupdate /force to apply group policy settings.

2.type "winver" in search bar and check the detailed OS build No. of 14393:
Please sign in to rate this answer.
_KUL 286 Reputation points

2021-04-09T05:58:57.063+00:00

Hello LeilaKong-MSFT!
Thank you for reply!

I tried your advice for a common RDS farm name. I changed the "Encryption Oracle Remediation" setting, but the error remained. Perhaps the Microsoft developers did not provide a connection to the RDS farm with a broker through the method "mstsc.exe /remoteGuard"?

You probably don't fully understand me. I am surprised that the TS servers 2016 from the RDS farm show an error message when connecting "The requested session access is denied.". But other 2016 servers (not RDS members) are successfully accepting connections "mstsc.exe /remoteGuard". All servers have a OsBuildNumber: 14393 and this is surprising ...

_KUL 286 Reputation points

2021-04-09T06:19:31.947+00:00

Additional information:

On the TS and regular servers, I turned off the Windows Update service

Deleted all content from C:\Windows\SoftwareDistribution

Started the Windows Update service

Forcibly checked the update via Microsoft Internet services

Installed all the required ones and rebooted

Connecting via "mstsc.exe /remote Guard" does not work on the TS server, but it works on a regular server.

_KUL 286 Reputation points

2021-04-09T06:20:12.827+00:00

The state of the HotFix on the TS server:
HotFixID Description InstalledOn FixComments

KB3199986 Update 11/21/2016
KB3202790 Security Update 10/8/2019
KB4054590 Update 8/30/2020
KB4462930 Update 10/8/2019
KB4509091 Security Update 10/7/2019
KB4520724 Security Update 11/16/2019
KB4521858 Security Update 10/9/2019
KB4524244 Security Update 2/13/2020
KB4535680 Security Update 3/1/2021
KB4540723 Security Update 3/11/2020
KB4550994 Security Update 4/15/2020
KB4562561 Security Update 7/3/2020
KB4565912 Security Update 8/3/2020
KB4576750 Security Update 10/5/2020
KB4577586 Update 3/31/2021
KB4589210 Update 4/1/2021
KB5001078 Security Update 3/1/2021
KB5000803 Security Update 4/1/2021

_KUL 286 Reputation points

2021-04-09T06:20:38.567+00:00

The state of the HotFix on a regular server:
HotFixID Description InstalledOn FixComments

KB3192137 Update 9/12/2016
KB4049065 Update 4/13/2018
KB4089510 Update 4/13/2018
KB4093137 Update 4/16/2018
KB4132216 Update 11/26/2018
KB4494175 Update 6/5/2020
KB4509091 Security Update 8/29/2019
KB4512574 Security Update 9/12/2019
KB4520724 Security Update 11/16/2019
KB4521858 Security Update 10/9/2019
KB4535680 Security Update 4/5/2021
KB4550994 Security Update 4/27/2020
KB4562561 Security Update 6/16/2020
KB4565912 Security Update 8/17/2020
KB4576750 Security Update 10/5/2020
KB4589210 Update 4/5/2021
KB5001078 Security Update 4/5/2021
KB5000803 Security Update 4/5/2021

Leila Kong 3,691 Reputation points

2021-04-09T09:44:45.577+00:00

Thank you, we're currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.

_KUL 286 Reputation points

2021-04-17T14:26:49.707+00:00

Hello!
I remind you of myself 😊
How is the research going? Did you manage to repeat this error in your sandbox? Is there any chance of solving the problem or releasing a fix in updates?
Sign in to comment
Leila Kong 3,691 Reputation points

2021-04-23T08:54:31.357+00:00

Hello @_KUL ,

Mstsc.exe /remoteguard only works with administrators.

Normal users should only use mstsc.exe without the “/remoteguard” parameter and you should ensure they have the correct GPO set for remote guard to be used for them.

Setup the remote guard GPO for normal user to use remoteguard:
https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard

Can you uninstall the yellow update of problem server and install the yellow update of regular server as shown in below picture?

You may download here: https://www.catalog.update.microsoft.com/Home.aspx
Please sign in to rate this answer.
_KUL 286 Reputation points

2021-04-26T07:21:10.337+00:00

Hello!
A few details - why I really want to "mstsc.exe /remoteGuard" and why I'm sure it works in other cases, details here -> Windows Hello for Business Hybrid with certificate, but without ADFS ??? In the same place, Mr. "piaudonn" in the message "Feb 16 2021 at 6:09 AM" enlightened how everything works correctly. And it works!

I will try to follow your advice and remove/install updates, but there may be limitations - not all updates can be removed.
There is a suspicion that "mstsc.exe /remoteGuard" stops working when the terminal server role components are installed. Perhaps some kernel authentication mechanisms are being added and the new defender features are being ignored?
Sign in to comment
Leila Kong 3,691 Reputation points

2021-05-11T06:37:40.517+00:00

Hello @_KUL ,

How are things going there on this issue?
Please let me know if you would like further assistance.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Leila Kong 3,691 Reputation points

2021-05-18T09:36:58.313+00:00

Hello @_KUL ,

Just checking in to see if the information provided was helpful.
Please post back at your convenience if we can assist further.
Please sign in to rate this answer.
_KUL 286 Reputation points

2021-05-24T05:55:32.337+00:00

Sorry for my silence, I was on vacation.

I made a test experiment (new installation):

WindowsProductName : Windows Server 2016 Standard
OsVersion : 10.0.14393
OsBuildNumber : 14393
HotFixID Description InstalledOn FixComments
-------- ----------- ----------- -----------
KB3199986 Update 11/21/2016
KB4535680 Security Update 5/20/2021
KB4589210 Update 5/20/2021
KB5001402 Security Update 5/20/2021
KB5003197 Security Update 5/20/2021

Setting up the connection
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD

Add a non-administrator to the local group "Remote Desktop Users" and check

C:\Users\kul>whoami /all
GROUP INFORMATION

Group Name Type SID Attributes
============================================ ================= ================== ==================================================

_KUL 286 Reputation points

2021-05-24T05:59:07.827+00:00

Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group ... other groups ... ... domain groups ...

_KUL 286 Reputation points

2021-05-24T05:59:51.347+00:00

3 . Launching the client in a special mode (mstsc.exe /remoteGuard). Connecting to the server. SSO works fine (even through Windows Hello)

4 . Setting the role "Remote Desktop Session Host". Restarting the server.

5 . Launching the client in a special mode (mstsc.exe /remoteGuard). Connecting to the server. Error during connection:
"The requested session access is denied."

Perhaps when the RDS role components are installed, they break the new SSO functions, or they are not friends together?

Leila Kong 3,691 Reputation points

2021-05-25T06:39:16.45+00:00

Hello @_KUL ,

Thanks for your response. Please understand due to security policy and from our professional level, we do not provide dump/log analysis. In addition, if this problem is more urgent for you, I still recommend that you open a case to Microsoft for further professional help.
https://support.microsoft.com/en-us/help/4341255/support-for-busines

_KUL 286 Reputation points

2021-05-25T06:45:25.92+00:00

Hello!
I understand you.
Thank you for your attention and for your time! :)

Leila Kong 3,691 Reputation points

2021-05-27T10:02:25.367+00:00

My pleasure.

Michael Hansson 1 Reputation point

2022-03-18T12:21:56.297+00:00

Hello! Did you find a solution for this problem, I have the exactly same problem and I cant find any solution how to make this work.

HPCPK-4455 1 Reputation point

2022-08-31T12:36:15.637+00:00

Same here, any new information about the issue or do we have to contact support?
Sign in to comment