TruGrid SecureRDP - Credentials Passthrough Setup and Prerequisites
Overview
Trusted Location Login uses Remote Credential Guard (RCG) to pass an AD-joined user's Active Directory credentials from the client to the TruGrid Windows Connector at login. With the machine-wide Connector installed and starting automatically on login, the user is authenticated against On-Premises AD, signed in, and has their assigned application shortcuts created automatically, with no Entra ID sign-in or MFA prompt.
RCG keeps the user's credentials on the client. Authentication to target machines is performed over Kerberos, so no password is sent to or cached on the session host. This requires additional configuration on three components: the Connector (client devices), the TruGrid Sentry, and each target machine.
Prerequisites
- Hybrid domain with AD synced to Entra ID, configured for both Entra ID and On-Premises AD authentication
- Trusted Location Login enabled for the domain by TruGrid
- TruGrid Sentry installed and online
- Local awareness and passthrough features enabled for the domain
- AD-joined client devices
- Desktop Shortcuts feature enabled in TruGrid
- Latest TruGrid Windows Connector
- Administrative rights on the Sentry host, on client devices, and on target machines
- Sentry 7.2.0.9 or newer
1. Connector installation (client devices)
Install the Connector machine-wide with RCG enabled. Run from an elevated prompt or in SYSTEM context (RMM, GPO startup script, Intune in System context):
TruGrid_Windows_Connector_<version>.exe /quiet PERMACHINE=1 ENABLE_RCG=1ENABLE_RCG=1is required for credential pass-through.PERMACHINE=1is required so the Connector is installed for all users on the device and can start on login.
For the full installer reference and deployment patterns (Intune, GPO, RMM, PowerShell remoting), see TruGrid Windows Connector - Machine Wide installer.
2. Sentry configuration
Perform these steps on the TruGrid Sentry host.
a. Enable the Local API
The Connector communicates with the Sentry over its Local API. Enable it:
powershell
Set-ItemProperty -Path "HKLM:\SOFTWARE\TruGrid\Sentry" -Name "LocalApiMode" -Value 'Enabled' -Type Stringb. Register a Service Principal Name (SPN)
RCG authenticates over Kerberos, which requires an SPN registered against the account the Sentry service runs as:
setspn -s TrugridSentry/<sentry-fqdn> <DOMAIN>\<sentryServiceAccount>Example:
setspn -s TrugridSentry/serv2019-022.dom003.com DOM003\TG-Service-v02Confirm the SPN registered and is not duplicated elsewhere in the forest:
setspn -L <DOMAIN>\<sentryServiceAccount>
setspn -Q TrugridSentry/<sentry-fqdn>
A duplicate SPN breaks Kerberos authentication. If setspn -Q returns more than one entry, resolve the duplicate before continuing.
c. Set the Sentry service logon account and restart
The Sentry service must run as the domain account the SPN was registered to, not LocalSystem. Confirm the exact service name, set the logon account, and restart:
powershell
Get-Service *Sentry* | Select-Object Name, DisplayName, Status
Stop-Service "trugrid_sentry_health_monitor"
sc.exe config "trugrid_sentry_health_monitor" obj= "<DOMAIN>\<sentryServiceAccount>" password= "<password>"
Start-Service "trugrid_sentry_health_monitor"
Stop-Service "trugrid_sentry"
sc.exe config "trugrid_sentry" obj= "<DOMAIN>\<sentryServiceAccount>" password= "<password>"
Start-Service "trugrid_sentry"
The space after obj= and password= is required sc.exe syntax, not a typo. The service account needs the "Log on as a service" right; this is granted automatically when set through the Services console, or via your standard rights-assignment GPO when set through sc.exe.

3. Target machine configuration (session hosts)
On every machine users connect to, allow Restricted Admin and Remote Credential Guard connections:
powershell
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 -Type DWordA value of 0 permits Restricted Admin mode and Remote Credential Guard. A value of 1 blocks them. On hardened or newer Windows builds this may be set to 1 or enforced by policy, in which case RCG connections fail until the value is 0.
Setting this per host by hand does not scale. Deploy it to all target machines with a Group Policy registry preference or a startup script:
- Computer Configuration > Preferences > Windows Settings > Registry
- Hive:
HKEY_LOCAL_MACHINE - Key:
SYSTEM\CurrentControlSet\Control\Lsa - Value name:
DisableRestrictedAdmin - Type:
REG_DWORD - Value:
0
- Hive:
No reboot is required for the value to take effect on new connections.
Verification
- Connector installed machine-wide:
powershell
Get-ItemProperty "HKLM:\SOFTWARE\TruGrid\TruGridWindowsConnector" -Name InstallDir- Sentry Local API enabled:
powershell
Get-ItemProperty "HKLM:\SOFTWARE\TruGrid\Sentry" -Name LocalApiMode- SPN present and unique (
setspn -Q TrugridSentry/<sentry-fqdn>). - Sentry service running under the domain account.
DisableRestrictedAdminis0on the target.- From an AD-joined client on the trusted network, log in. The user is authenticated against On-Premises AD with no Entra ID or MFA prompt, the Connector starts automatically, and the
TG-APPS <user.name@domain.com>shortcuts folder appears on the desktop.

Notes
- These manual steps are temporary and are expected to be incorporated into the installer and Sentry setup in a future release.
ENABLE_RCG=1is a Connector installer parameter specific to this flow and is not yet listed in the general Machine Wide installer article.
Updated on: 17/06/2026
Thank you!
