Policy
Restrict delegation of credentials to remote servers
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows81, WindowsRT81, WindowsServer2012R2, WindowsServer2016
When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. Participating apps: Remote Desktop Client If you enable this policy setting, the following options are supported: Restrict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts. Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts. Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts. If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices. Note: To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation). Note: On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation\RestrictedRemoteAdministration | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Use the following restricted mode: ID RestrictedRemoteAdministrationDrop | enum | HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation\RestrictedRemoteAdministrationType Type REG_DWORD | Options: Restrict Credential Delegation (3), Require Remote Credential Guard (2), Require Restricted Admin (1) |
Other policies in this category
Explore related policies at the same level.
- ComputerAllow delegating default credentialsAt least Windows Vista
- ComputerAllow delegating default credentials with NTLM-only server authenticationAt least Windows Vista
- ComputerAllow delegating fresh credentialsAt least Windows Vista
- ComputerAllow delegating fresh credentials with NTLM-only server authenticationAt least Windows Vista
- ComputerAllow delegating saved credentialsAt least Windows Vista
- ComputerAllow delegating saved credentials with NTLM-only server authenticationAt least Windows Vista
- ComputerDeny delegating default credentialsAt least Windows Vista
- ComputerDeny delegating fresh credentialsAt least Windows Vista
- ComputerDeny delegating saved credentialsAt least Windows Vista
- ComputerEncryption Oracle RemediationAt least Windows Vista
- ComputerRemote host allows delegation of non-exportable credentialsAt least Windows Server 2016, Windows 10 Version 1703