question

PetRich avatar image
0 Votes"
PetRich asked ·

Windows Defender Remote Credential Guard - SSO on client machine not remote host not working when credential guard on remote client is active

Surface 4 Pro Client (machine A) can connect via mstsc /remoteguard to (machine B) without entering passwords (SSO).

Inside of machine the file shares of Machine C should be accessed:

  1. Secure Boot disabled (meaning Credential Guard disabled) on machine A --> Successfully SSO connect via mstsc /remoteguard to (machine B) and inside machine B successfully opening of file shares.

  2. Secure Boot enabled (meaning Credential Guard enabled) on machine A --> Successfully SSO connect via mstsc /remoteguard to (machine B) BUT inside machine B error messages opening of file shares. "No domain controller found" (misleading) error message.

Any helpful ideas or troubleshooting steps out there?

I'm collecting experiences for an greater rollout here.






windows-10-security
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
 
Just want to confirm the current situations.
 
Please feel free to let us know if you need further assistance.
 
Best Regards,
Sunny

0 Votes 0 ·
SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered ·

Hi,

Thanks for posting in Q&A platform.

Before we go further, could you please help to describe and provide more details about your environment?

Is there any related error message or event log on DC or server? If yes, please help provide for further troubleshooting.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PetRich avatar image
0 Votes"
PetRich answered ·

Hi Sunny,

I described as much needed to make the environment as simple as possible to avoid wrong directions.

So I would need a starting point for troubleshooting or at least a known bug report, because "Connect to other systems using SSO" isn't working in "Windows Defender Remote Credential Guard" in combination with "Device Guard enabled".

SSO works, when "Device Guard" = disabled.
SSO doesn't work, when "Device Guard" = enabled.


https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard

It is documented in this picture:

72522-image.png



image.png (42.1 KiB)
· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.

1 Vote 1 ·

Hi SunnyQi, maybe you have it already seen, there is Andreas Bergen with the same issue.

0 Votes 0 ·
BergenAndreas-6977 avatar image
0 Votes"
BergenAndreas-6977 answered ·

Hello everybody,

we have the same issue and I just tested it and can confirm that disabling "credential guard" makes "remote credential guard" work again.
I know that both features used to work together but stopped working some day in 2020. Maybe there was a Windows update in 2020 which broke things?
Any help is greatly appreciated.

Best regards
Andreas

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hallelujah, I'm not alone with this issue ;) Thanks for sharing.

0 Votes 0 ·
PetRich avatar image
0 Votes"
PetRich answered ·

@SunnyQi-MSFT: Did you found already something?

There was a third one reporting the same issue in January 2019:

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/2483

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.