TruGrid SecureRDP - Credentials Passthrough Setup and Prerequisites

Overview

Trusted Location Login uses Remote Credential Guard (RCG) to pass an AD-joined user's Active Directory credentials from the client to the TruGrid Windows Connector at login. With the machine-wide Connector installed and starting automatically on login, the user is authenticated against On-Premises AD, signed in, and has their assigned application shortcuts created automatically, with no Entra ID sign-in or MFA prompt.

RCG keeps the user's credentials on the client. Authentication to target machines is performed over Kerberos, so no password is sent to or cached on the session host. This requires additional configuration on three components: the Connector (client devices), the TruGrid Sentry, and each target machine.

These steps are currently performed manually. They will be folded into the installer and Sentry configuration in a future release.

These instructions assume Trusted Location Login has already been enabled for the domain by the TruGrid team. Complete the requirements in the Trusted Location Login article first.

Prerequisites

Hybrid domain with AD synced to Entra ID, configured for both Entra ID and On-Premises AD authentication
Trusted Location Login enabled for the domain by TruGrid
TruGrid Sentry installed and online
Local awareness and passthrough features enabled for the domain
AD-joined client devices
Desktop Shortcuts feature enabled in TruGrid
Latest TruGrid Windows Connector
Administrative rights on the Sentry host, on client devices, and on target machines
Sentry 7.2.0.9 or newer

If you are missing Local Awareness or Passthrough features please reach out to TruGrid Support. These will be added to the TruGrid Admin portal at a future date.

1. Connector installation (client devices)

Install the Connector machine-wide with RCG enabled. Run from an elevated prompt or in SYSTEM context (RMM, GPO startup script, Intune in System context):

TruGrid_Windows_Connector_<version>.exe /quiet PERMACHINE=1 ENABLE_RCG=1

ENABLE_RCG=1 is required for credential pass-through.
PERMACHINE=1 is required so the Connector is installed for all users on the device and can start on login.

For the full installer reference and deployment patterns (Intune, GPO, RMM, PowerShell remoting), see TruGrid Windows Connector - Machine Wide installer.

2. Sentry configuration

Perform these steps on the TruGrid Sentry host.

a. Enable the Local API

The Connector communicates with the Sentry over its Local API. Enable it:

powershell

Set-ItemProperty -Path "HKLM:\SOFTWARE\TruGrid\Sentry" -Name "LocalApiMode" -Value 'Enabled' -Type String

b. Register a Service Principal Name (SPN)

RCG authenticates over Kerberos, which requires an SPN registered against the account the Sentry service runs as:

setspn -s TrugridSentry/<sentry-fqdn> <DOMAIN>\<sentryServiceAccount>

Example:

setspn -s TrugridSentry/serv2019-022.dom003.com DOM003\TG-Service-v02

Confirm the SPN registered and is not duplicated elsewhere in the forest:

setspn -L <DOMAIN>\<sentryServiceAccount>
setspn -Q TrugridSentry/<sentry-fqdn>

A duplicate SPN breaks Kerberos authentication. If setspn -Q returns more than one entry, resolve the duplicate before continuing.

c. Set the Sentry service logon account and restart

The Sentry service must run as the domain account the SPN was registered to, not LocalSystem. Confirm the exact service name, set the logon account, and restart:

powershell

Get-Service *Sentry* | Select-Object Name, DisplayName, Status

Stop-Service "trugrid_sentry_health_monitor"

sc.exe config "trugrid_sentry_health_monitor" obj= "<DOMAIN>\<sentryServiceAccount>" password= "<password>"

Start-Service "trugrid_sentry_health_monitor"

Stop-Service "trugrid_sentry"

sc.exe config "trugrid_sentry" obj= "<DOMAIN>\<sentryServiceAccount>" password= "<password>"

Start-Service "trugrid_sentry"

The space after obj= and password= is required sc.exe syntax, not a typo. The service account needs the "Log on as a service" right; this is granted automatically when set through the Services console, or via your standard rights-assignment GPO when set through sc.exe.

3. Target machine configuration (session hosts)

On every machine users connect to, allow Restricted Admin and Remote Credential Guard connections:

powershell

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value 0 -Type DWord

A value of 0 permits Restricted Admin mode and Remote Credential Guard. A value of 1 blocks them. On hardened or newer Windows builds this may be set to 1 or enforced by policy, in which case RCG connections fail until the value is 0.

Setting this per host by hand does not scale. Deploy it to all target machines with a Group Policy registry preference or a startup script:

Computer Configuration > Preferences > Windows Settings > Registry
- Hive: HKEY_LOCAL_MACHINE
- Key: SYSTEM\CurrentControlSet\Control\Lsa
- Value name: DisableRestrictedAdmin
- Type: REG_DWORD
- Value: 0

No reboot is required for the value to take effect on new connections.

Verification

Connector installed machine-wide:

powershell

   Get-ItemProperty "HKLM:\SOFTWARE\TruGrid\TruGridWindowsConnector" -Name InstallDir

Sentry Local API enabled:

powershell

   Get-ItemProperty "HKLM:\SOFTWARE\TruGrid\Sentry" -Name LocalApiMode

SPN present and unique (setspn -Q TrugridSentry/<sentry-fqdn>).
Sentry service running under the domain account.
DisableRestrictedAdmin is 0 on the target.
From an AD-joined client on the trusted network, log in. The user is authenticated against On-Premises AD with no Entra ID or MFA prompt, the Connector starts automatically, and the TG-APPS <user.name@domain.com> shortcuts folder appears on the desktop.

Notes

These manual steps are temporary and are expected to be incorporated into the installer and Sentry setup in a future release.
ENABLE_RCG=1 is a Connector installer parameter specific to this flow and is not yet listed in the general Machine Wide installer article.

Updated on: 17/06/2026

Was this article helpful?

Thank you!