Microsoft
Microsoftrobertro-sit I agree that Credential Guard doesn't solve for the other issues that you mention but Windows Attack Surface Reduction along with other tools do address them. The point that parobinson is making is true. You really should do secure administration from a dedicated workstation (SAW/PAW). Otherwise, you are doing what raver2475 said which is putting lipstick on a pig. I'm not making any product announcements here but you have to assume that at some point FIDO2 capabilities will be built directly into RDP. I believe this because it's one of the last places today that still require a password. Otherwise you're using solutions like the one proposed here or others like Azure App Proxy/RDP Gateway, or using the Windows Admin Center with MFA. Either way, this solution above is MUCH better than using a password on an RDP session because you're using a NONCE instead of a password. 🙂
