Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,972 questions
Digging into that article you linked:
*Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported.
**Host PC is running Windows 10 Pro 22H2, so we ought to be good on this one.
**Guest (local) PC is running Windows 10 Pro 22H2, so we ought to be good there as well.
*Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or Azure AD registered if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported.
**The local PC we're trying to remote from is connected to the work account. We can see this in Access Work or School:
Clicking on Manage your Account in that Access Work or School window, then clicking on Devices at myaccount.microsoft.com, I can see that desktop computer in the list of devices:
Logging into the tenant at portal.office.com, going to active users, then clicking on devices, I see that this user doesn't have any devices enrolled in Intune. This is to be expected, we're not using Intune as we only have 365 Business Standard. Visiting aad.portal.azure.com and looking at the list of the user's devices, I see this workstation listed as "Azure AD registered:"
So I think we have this second criteria appeased.
*Ensure Remote Credential Guard, a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC.
**This is NOT checked:
A note on this point: if we try to log into this workstation using a local user from this same PC, we are successful. It's only when we try to access the AAD user that we cannot log in.
Double and triple checking the list of allowed users, the user that we're trying to log into from the remote computer is included in the list:
So, unless I'm missing something, I think we comply with that article.
I did set up a virtual machine, properly joined it to the Azure domain, and we were able to log in with that user's credentials just fine. So I think it has something to do with the fact that we're only an Azure AD registered PC. There is no local AD server running, and looking in the Azure Active Directory admin center, I don't see any policies that may be preventing Azure AD registered devices from being able to authenticate via RDP.
With this revelation, I was able to refine my Googleing and found the following thread on Stack Overflow, which talked me into adding the following two lines to the RDP file for this user's log-in:
enablecredsspsupport:i:0
authentication level:i:2
Adding those two lines and logging the user in with AzureAD\User@OurDomain.com was successful.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 14.000000000000002%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 28.000000000000004%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 44%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELB%3C/text%3E%3C/svg%3E)
