Hi.
Please refer to this article:
Hope the information is helpful.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
apparently the "double-hop" problem (https://learn.microsoft.com/en-us/answers/questions/744867/remote-credential-guard-double-hop-issue-after-ser) when using Remote Credential Guard (RCG) on a Windows 11 22H2 (Build 22621.1702) endpoint is present again. I.e. after connecting via mstsc /remoteGuard to a Windows 11 PC it is not possible to access network drives. A login dialog appears with the error message "No connection to a domain controller could be established to handle the authentication request."
Win11 configuration (target system):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
"DisableRestrictedAdmin"=dword:00000000
(https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard)
Configuration Win10/Win11 (source system):
Encryption Oracle Remediation - Force: Updated Clients
Remote host allows delegation of non-exportable credentials - Active
Restrict delegation of credentials to remote servers - Active (Require Remote Credential Guard)
The only thing that currently helps is to lock the computer 1x and log in again. After that the connection to network drives etc. works.
The problem does not exist between Windows 10 systems with the same GPO settings. There everything works as it should (even with activated Credential Guard).
Any help would appreciated. Thx.
cu..
Z. Embaxter
Did you manage to find a solution? Our Windows 10 units are working ok but the Windows 11 have no mapped drives
Believe it or not, as of yesterday, there is hope.
MS support contacted me about my support request and said that it's a confirmed bug and that they will resolve it (planned) with the december 2023 cumulative update, possibly already with the preview update (late november 23).
I have the exact same problem. I have been struggling with this for the last couple of weeks. Happy so realize that I am not completely alone with this problem. Do you have a bug ID or similar so that I can track the progress with Microsoft myself?
No bug ID that is public, no. I expect MS to serve an update for this next week. Will let you know as soon as I tested it (and I will, as soon as it is released).
I have this issue connecting from Windows 11 to Server 2022. Do you have any more details on the planned fix?
Which OS will be patched?
No details. Just that it will be the optional update next week. I told them that all OS' (and all server OS') are affected, so they know about server 2022 and will rectify that.
Never mind, I tested this on some Windows 11 machines and discovered that the Remote Credential Guard GPO works as "All or Nothing"
If it's enabled, I can only initiate RDP connections using my current credentials. No idea why they did not add an option to force it only for specific hosts (similar to the delegation policy) or add a fallback.
So Credential Guard is out for my environment.
David, you may use alternate Credentials. Simply start mstsc.exe as using runas or scripted with psexec as other user. That's what we do here.
David, what we do in this situation: start mstsc.exe as other user. The credentials of that user are passed on, then. Use runas or psexec (or context menu [shift right-click] : run as different user)
Thanks, interesting solution. Why do you need to use runas, once you open mstsc as "other user"?
That's a misunderstanding. I was telling you how to run mstsc as other user - either interactive using right-click or scripted (batch) using psexec :-)
The preview update for Win11 23H2 came in yesterday. NOT FIXED.
I contacted the MS support people and asked to what date the fix was delayed to. Will let you know what they answered.
They haven't answered yet. That's support!
The december CU doesn't contain the fix, either. I hope the december D week will contain it. XMas present.
I can confirm we are also having issues with Windows 10/11 beyond version 21H2 having the issue. When support for 21H2 expires in Jun 2024, this is going to reduce the security posture of organizations that rely on RCG in helping to limit lateral movement as there doesn't appear to be any work around other than removing the ability to utilize RCG. This is a BIG issue that needs attention.
Has anyone managed to find a workaround for this issue? I am seeing this problem at several customers, but I also have a customer where we haven't seen the problem yet. @MTG do you have a MSFT bug ID? I am planning to raise another ticket with MSFT. It would be really helpful to have a bug ID for referral.
Hi Jonatan. I have a tracking ID for my yet unresolved issue, yes. It's #2307060030003531 Since the ticket was closed and a patch was promised (which did not arrive, yet) I reopened it just yesterday and will be on the phone with their support today or tomorrow and will let you know when they plan to finally deliver the promised update.
Spoke to support. They are not able to tell if the fix was already delivered or not (!?) and will need to investigate. Told them that if it was delivered, it doesn't work. They made out the next telephone call for the 25th of Jan.
Thanks. I am really looking forward to hear what Microsoft can tell you tomorrow. I have 4-5 installations that used to work with Windows 10, but now prompts for credentials when the users attempt to access network drives via RDS. I really cannot understand why this hasn't received more attention by Microsoft yet. They are pushing "Passwordless" as a strategy, but at same time they break it down on RDS.
How did your meeting go MTG? We’re in the midst of evaluating Windows Hello for Business for our Windows 11 clients, and this is stopping us in our tracks. Interested to hear how you got on. :) Thanks, Chris
Support told me that the fix was postponed (no reason given). Its release is expected in the last week of march 24 as optional update (will of course be part of the regular CU of April as well). Waiting...waiting...waiting.
This reminds me of the AOVPN issue where Microsoft didn’t fix it for nearly two years after launch, but it still worked perfectly on Windows 10. Very disappointing that Microsoft are pushing orgs to Windows 11 and Passwordless, yet features work better on previous versions.
FYI for anyone wondering, not fixed in February CU Release Preview (KB5034848). Fingers crossed for March CU Release Preview. Please don't let us down Microsoft...
Just tried to implement RCG and run into the same issue. Hopefully MS can fix it soon.
Latest Windows 11 Release Preview build (KB5035942) which just released seems to have fixed it for us. Fingers crossed it makes its way to the GA channel next month.
Scrap what I said above, it looks like there is another issue now.
Whilst you can authenticate against resources (such as file shares) within RDP successfully, you have to do it by IP address. Attempting to do it by FQDN/hostname results in failure about not being able to find the resource.
DNS works fine on the server, can ping resources. Klist shows tickets issued against the hostnames/fqdn, at a loss as to why it's not working.
Hopefully someone else can chime in.
Doesn't work here, either! I will reopen the case and tell them a word or two, now, you can believe me.
doublepost due to refresh problems of this great site
Let us know how you get on MTG, it's depressing how long this is taking to remediate.
Is your issue the same as mine where DNS just fails completely for accessing anything with RCG? Kerberos tickets are generated (including hostname!) and can access by IP.
DNS works from CMD, just doesn't work with anything using the RCG auth context - making it basically useless still.
Update 11.April.2024: For me, the April Updates didn't solve the issue. Same for you?
Matthias, did you install the updates on "both ends"? There were updates needed for all servers and all client OS'. It works here.
@MTG Yes I can confirm, after having installed the Updates on both ends its working like it should.
Hello,
back after a long long time. I've read the whole Thread and i can confirm after installing the latest Updates on all Machines it works like it should. I would say:
Case closed (till next update?! ;) ).
Hello,
Thank you for the excellent information.
It was very helpful since I was struggling with the same issue.
By the way, I have another problem.
When using Remote Credential Guard, I can't automatically sign into Edge with my EntraID account when I use RDP.
Do you have any information on this?
I can sign in without any problems when not using Remote Credential Guard. I look forward to any helpful information.
Thank you.
Does anyone else have intermittent issues with this still? This started working for us after the update and we have competed a roll out of Windows 11 Azure AD joined devices and we get intermittent issues when users are unable to access resources such as mapped network drives within the RDP session (Windows Server 2019). Signing out of the session and back in again fixes the issue but it can happen again seemingly randomly.
This is broken again in Windows 11 24H2 feature update.
Microsoft pushing people towards Passwordless, but keep breaking crucial functionality to deliver this.
I can second this. I have 24H2 on arm64 and have the same problem with RCG.
Another confirmation - 24H2 RCG hops an issue when targeting non-24H2 systems.
Lock screen + password as a workaround, but defeats the purpose of RCG in doing so
FYI: I opened a pay-per-incident case with Microsoft about this 10 weeks ago. It took them several weeks to even acknowledge the problem, but now they are on it. Will let you know about their plans to patch it as soon as I have that info.
Any news on this? The lockscreen + password workaround is OK for us admins and RDP sessions, but this bug is also affecting our RemoteApps which rely on network shares and printers.
No news.
MS technical support is unable to reproduce the problem although any beginner can do this in 5 minutes. Sad but true. I shall send them a video file demonstrating it on a clean system - will do today.
It's shocking that you've opened a paid support case and they can't be bothered to make the effort to reproduce the issue - which is easy to do. It's literally a couple of policies.
Chris, it's not so shocking, I am afraid, it's rather, to use Microsoft speak, "expected behavior".
Last time (when the same bus occured on 22H2), it took them several months to confirm the bug and 12 months to roll out a patch. So as of today, my case is 3 or 4 months old - normally, I would not expect to see a fix before summer '25. Yesterday, they just asked me (after months) "how many users are affected" and "did you try setting the policies this way [describing the same way as described in my ticket]. It's outragous. Last time I contacted their managers to complain - not even a response.
RCG does appear to be working between 24H2 Win 11 client and server 2025.
Hi.
Please refer to this article:
Hope the information is helpful.
Almost the same here.
Win11 22h2 ->Win10 22H2 = same problem with share access.
Win10 22h2 ->Win11 22H2 = same problem.
Win11 22h2 ->Win11 22H2 = works!
Win10 22h2 ->Win10 22H2 = works!
Reproducible anywhere, even in a clean lab domain.
Credential guard is inactive, remote credential guard is active.
@Hania Lian : Thx for your reply. Because the article ist titled "Known Issues...", does this mean, it will be fixed in near future, it won't be fixed at all?
I asked because we don't have any Events within "Application and Services Logs\Microsoft\Windows\NTLM\Operational" which is mentioned in the linked article.
cu...
Z. Embaxter
Is it over, can we please call it "over"? :-)
Yesterday, the preview patches arrived and they work!Win10 22H2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5035941 Win11 23H2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5035942
Still not working for me MTG, Windows 11 23H2.
To confirm, VBS is enabled on the environment I'm trying to access (Windows Server 2022) with required credential delegation. It works by IP, but DNS seems to be non-existent when authenticating with RCG.
I can resolve DNS of the resources in CMD and it shows with ticket in klist with hostname against it, but when trying to navigate/reach it fails with being unable to find (DNS error).
Can you share your environment/policies? This is what I have set.
Still not perfect. I can confirm that I can:
Win11 23H2->Win Server 2019 & Win10 (and reverse)
but I can't use network resources on server 2022 when I rdp from Win11 23H2 -> Server 2022. There's no patch seen for server 2022, yet.
Unfortunately not the same experience for me.
Windows 11 23H2 --> Server 2019, doesn't work by IP or DNS.
Windows 11 23H2 --> Server 2022, works by IP but not by DNS.
Windows 10 works flawlessly to all servers.
Chris, whatever it was that made it work here for Win11 23H2->server 2019, it does not work right now. So what is fixed is limited to correct remote credential guard between (back and forth) win11<->win10, while RCG on servers is still broken. But: that is expected since it seems as though both ends need adjustments and the servers have not received updates addressing this, yet. I share this in my MS support case (which is still closed since these people show no need to respond to their customers in a timely fashion) and I expect server updates to follow next month.
As for the settings here in the test environment: all is vanilla (no settings apart from remote credential guard being activated).
I'm pleased to confirm the latest April updates have fixed this issue.
Yes, this did it for me:
...This update addresses an issue that affects a network resource. You cannot access it from a Remote Desktop session. This occurs when you turn on the Remote Credential Guard feature and the client is Windows 11, version 22H2 or higher...
April 9, 2024—KB5036896 (OS Build 17763.5696) - Microsoft Support
Hooray (!?), the latest Win11 24H2 build resurrects the problem. I can't believe it. Running 26100.1297 here.
Yep, the problem is back. I'm on 26100.1301.
Can confirm the bug is back, running 24H2 26100.2033 (October LCU).