🛡️ Essential 8 Guide

Remote Credential Guard functionality is enabled.

Summary

Remote Credential Guard protects credentials by preventing delegation of nonexportable credentials to remote hosts, reducing the risk of credential theft during remote authentication¹. Implemented via Intune/MDM using a settings catalog policy deployed to all devices to ensure consistent protection¹.

Justification

When a user connects to a remote host via Remote Desktop Protocol (RDP), Windows traditionally delegates credentials to the remote session host — storing credential material on a machine the administrator does not own. Attackers with local administrator access on a compromised RDP host can then run Mimikatz against the LSASS process of the RDP session to extract NTLM hashes or Kerberos tickets of connecting administrators, enabling immediate lateral movement.

Remote Credential Guard (RCG) routes all Kerberos and NTLM authentication requests back to the originating device. The remote host never receives or stores any credential material — it receives only a Kerberos service ticket valid for the remote session, not the underlying credentials. This means a fully compromised RDP host cannot be used to extract the credentials of an administrative user who connects to it.

This control is particularly important for Privileged Access Workstations (PAWs) and tiered administration models (Tier 0/1/2) where administrators manage sensitive infrastructure over RDP. Without RCG, a single compromised jump host or Tier 1 server can be used to harvest Tier 0 admin credentials.

[!NOTE] Remote Credential Guard requires both the client and server to be running Windows 10 version 1607 / Windows Server 2016 or later. It is not supported for RDP connections to Azure Virtual Machines; use just-in-time VM access instead.

Design Decision

[!NOTE] The Microsoft Defender for Endpoint baseline security baseline will be applied via Intune to all devices to enable Remote Credential Guard. It will be enforced across the entire environment.

Prerequisites

• Licensing: Microsoft Intune Plan 1 is required if Intune is used for implementation.²

• Permissions/Roles: Administrative permissions to create and deploy an Intune Settings Catalog policy and to assign it to device/user groups.²

• Dependencies:

  • Devices must be enrolled in Intune and joined to Entra ID and/or hybrid Azure AD joined.²
  • The implementation relies on a Defender for Endpoint baseline in Intune.³
  • The policy should be applied to all devices.¹

Implementation Steps

Enable Remote Credential Guard with Intune Settings Catalog

1. In Intune, create a Settings Catalog policy and configure the following settings:

1. Assign the policy to a group that contains as members the devices or users you want to configure.¹

Enable Remote Credential Guard with Policy CSP (Alternative)

1. Configure devices using a custom policy with the Policy CSP. Set the following:

1. Assign the policy to a group containing the target devices or users.¹

Enable Credential Guard with Intune Settings Catalog

1. In Intune, create a Settings Catalog policy and configure the following:

1. Assign the policy to a group that contains the devices or users you want to configure. If you need remote disable capability, choose the option Enabled without lock. After applying the policy, restart the device.²

Enable Credential Guard with DeviceGuard CSP (Alternative)

1. Create a custom policy with the following CSPs:

1. Assign the policy to a group containing the target devices or users.
2. Restart the device after the policy is applied.²

[!NOTE] For global baseline deployment, apply the Remote Credential Guard setting via the Microsoft Defender for Endpoint security baseline in Intune, which includes the RemoteHostAllowsDelegDelegationOfNonExportableCredentials setting. This baseline can be applied to all devices as a single assignment, removing the need for a separate custom policy.

Additional related information

• Credential Guard overview explains the core concepts, architecture, and security benefits of Credential Guard in Windows environments Credential Guard overview
• Enabling Credential Guard and Remote Credential Guard (ML3) describes how to enable Credential Guard and Remote Credential Guard using ML3 controls via the Essential Eight guidance Enabling Credential Guard and Remote Credential Guard (ML3)
• Account protection policy settings for endpoint security in Intune describes account protection profile options including Turn on Credential Guard Account protection policy settings for endpoint security in Intune
• Windows settings you can manage through an Intune Endpoint Protection profile explains Windows Defender Credential Guard and related settings you can manage with Endpoint Protection profiles Windows settings you can manage through an Intune Endpoint Protection profile
• Legacy privileged access guidance provides strategies for managing privileged access devices and related security considerations Legacy privileged access guidance
• Considerations and known issues when using Credential Guard outlines known caveats and compatibility issues when Credential Guard is enabled Considerations and known issues when using Credential Guard
• Trustworthy addition for Azure Local describes Credential Guard in Azure Local deployments and its protection of credentials in Local Security Authority Trustworthy addition for Azure Local