Code Library

Remote credential guard provides protection against your credentials being stolen when you are remotely connected to a system via a remote desktop session.

When a user attempts to remote desktop to a remote host, the Kerberos request is redirected back to the originating host for authentication. The credential simply does not exist on the remote host any more. If a remote host (i.e., an end user’s computer or server) has malicious code running on it that can obtain credentials, remote credential guard will mitigate this because no credentials will be passed into the remote host.

There are some requirements for remote credential guard to operate:
 The user must be joined to the same Active Directory domain or a remote desktop server must be joined to a domain with a trust relationship to the client device’s domain.
 They must use Kerberos authentication.
 They must be running at least Windows 10, version 1607 or Windows Server 2016.
 The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows
Platform app doesn't support Remote Credential Guard.

To turn on remote credential guard, you can configure this via a group policy and widely deploy this
across your estate.

To configure this via group policy, open the Group Policy Management Console, and then go to Computer Configuration -> Administrative Templates -> System -> Credentials Delegation. Next,
double-click Restrict Delegation To Remote Servers, and then select Require Remote Credential
Guard. Finally, click OK and run gpudpate /force to push the group policy out.

Source of Information : Microsoft Introduction Windows Server 2016