Windows Defender Credential Guard: Root cause of Windows 11 22H2 RDP issues?

Windows[German]Since weeks, administrators have been complaining about problems with remote desktop connections that can occur on Windows 11 22H2. Microsoft announced in July 2023 that they are investigating the problem, and there is probably a workaround. Coincidentally, however, a blog reader has come forward and found the culprit for his RDP problems in his case. Windows Defender Credential Guard seems to be causing conflicts with RDP.


Advertising

Windows RDP problems

Problems with RDP connections after Windows updates are nothing new. Especially users of Windows 11 are suffering from this problem. After installing the feature update to Windows 11 22H2, remote desktop clients can no longer connect, the RDP connection is randomly interrupted or freezes unexpectedly. German blog reader Michael wrote in a comment to the German blog post Windows 11 22H2: Probleme und Upgrade-Stopper (English version is Windows 11 22H2: Issues and upgrade stoppers):

Installed today and already had problems that forced me to go back.

All my saved remote desktop connections did not work anymore, I got the error that the login attempt failed. You can enter a new password then it works, but it is not saved, no way to remember.

My VPN connections in the quick access at the bottom right of the taskbar are gone, click on the icon at the bottom and nothing happens.

Michael suspected in another post that it might have to do with Hyper-V and Windows Defender Credential Guard (but does not apply to Windows 11 Home systems). Anyway, after uninstalling the feature update to Windows 11 version 22H2, the error was gone. I had then summarized the status in the German blog post Windows 11 22H2: Microsoft untersucht RDP-Probleme (English version Windows 11 22H2: Microsoft investigates RDP issues) and mentioned that an official investigation had started regarding these issues.

Blame Defender Credential Guard

Now German blog reader Jens has left this comment and reported that he finally confirmed that there is a collision between Windows 11 22H2's Windows Defender Credential Guard and the module for establishing RDP connections. Jens wrote:

For all who also stumble across this post and have Windows 11 22H2 installed: For me, it was due to Windows Defender Credential Guard. Since one of the target hosts is not running Kerberos, the Remote Credential Guard blocked NTLM authentication.

This is a pretty interesting constellation and would explain why not all administrators observe this behavior with Windows 11 22H2 clients and RDP clients. Jens also immediately provided a workaround for this problem (thanks for that) and wrote:

With Regedit you can easily disable Credential Guard. Create under:

"Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"

a new [32-bit] DWORD value with the name LsaCfgFlags and the value=0. Then reboot. At the first login it wants to have the login data again, afterwards no more.

Maybe it will help one or the other affected person if the scenario outlined above applies. Ex-MVP and German Group Policy guru wrote in a comment "Never establish RDP with IP. NTLM fallback occurs because the Kerberos realm cannot be recognized. Use DNS FQDN or the hostname if the suffix is in the search list."


Advertising

Windows Defender Credential Guard is a security feature that isolates users' credentials from the rest of the operating system to prevent their theft. Microsoft introduced Defender Credential Guard in Windows 10 Enterprise and Windows Server 2016. When Windows Defender Credential Guard is active, only privileged system software can access users' credentials

Starting with Windows 11 Enterprise version 22H2 and Windows 11 Education version 22H2, Windows Defender Credential Guard is enabled by default for compatible systems. This feature changes the default status of the feature in Windows, although system administrators can still change this activation status.

The protection is particularly effective against pass-the-hash attacks because it protects NT LAN Manager (NTLM) password hashes and Kerberos ticket granting tickets, it says here. Microsoft Windows Defender Credential Guard stores full-length randomized hashes to defend against trial-and-error threats such as brute-force attacks. In addition, Credential Guard protects all credentials that applications store as domain credentials.

Similar articles:
Windows 11 22H2: Verhunzter Defender Remote Credential Guard?
Windows Defender Credential Guard Update and Revisions (August 9, and 15, 2022)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *