Policy

Restrict delegation of credentials to remote servers

Microsoft Windows

Back to Credentials DelegationBack to main
Restrict delegation of credentials to remote servers
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
System > Credentials Delegation
Supported on
At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1

Supported OS tags: Windows10, Windows10RT, Windows11, Windows81, WindowsRT81, WindowsServer2012R2, WindowsServer2016

When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. Participating apps: Remote Desktop Client If you enable this policy setting, the following options are supported:   Restrict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts.   Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts.   Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts. If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices. Note: To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation). Note: On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard.

Internal name
RestrictedRemoteAdministration
Policy ID
8520e440db60
Elements
1

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
Software\Policies\Microsoft\Windows\CredentialsDelegation
Value name
RestrictedRemoteAdministration
REG_DWORD
HKLM
1
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
Software\Policies\Microsoft\Windows\CredentialsDelegation
Value name
RestrictedRemoteAdministration
Hive
HKLM
Enabled value
1
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

ScopeElementTypeRegistry mappingConstraints & behaviorCopy
Computer
Use the following restricted mode:
ID RestrictedRemoteAdministrationDrop
enum
Path
Software\Policies\Microsoft\Windows\CredentialsDelegation
Value name
RestrictedRemoteAdministrationType
Type
REG_DWORD
Options: Restrict Credential Delegation (3), Require Remote Credential Guard (2), Require Restricted Admin (1)
Use the following restricted mode:
Computer · Type enum
Registry mapping
Path
Software\Policies\Microsoft\Windows\CredentialsDelegation
Value name
RestrictedRemoteAdministrationType
Type
REG_DWORD
Details
Options: Restrict Credential Delegation (3), Require Remote Credential Guard (2), Require Restricted Admin (1)