Restrict delegation of credentials to remote servers

When running in Restricted Administration mode or if the device is using Remote Credential Guard, participating apps do not expose credentials to remote devices (regardless of the delegation method). Restricted Administration mode may limit access to resources located on other servers or networks beyond the target computer because credentials are not delegated. Remote Credential Guard does not limit access to resources by redirecting all requests back to the client device.

Participating apps:
Remote Desktop Client

If you enable this policy setting, Restricted Administration mode or Remote Credential Guard is enforced and participating apps will not delegate credentials to remote devices.

If you disable or do not configure this policy setting, Restricted Administration mode and Remote Credential Guard are not enforced and participating apps can delegate credentials to remote devices.

Note: To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation).

Note: On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard.

Supported on: At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft\Windows\CredentialsDelegation
Value NameRestrictedRemoteAdministration
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Use the following restricted mode:


  1. Prefer Remote Credential Guard
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Microsoft\Windows\CredentialsDelegation
    Value NameRestrictedRemoteAdministrationType
    Value TypeREG_DWORD
    Value3
  2. Require Remote Credential Guard
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Microsoft\Windows\CredentialsDelegation
    Value NameRestrictedRemoteAdministrationType
    Value TypeREG_DWORD
    Value2
  3. Require Restricted Admin
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Microsoft\Windows\CredentialsDelegation
    Value NameRestrictedRemoteAdministrationType
    Value TypeREG_DWORD
    Value1


credssp.admx

Administrative Templates (Computers)

Administrative Templates (Users)