Remote Desktop mstsc /restrictedAdmin

If endpoints are properly configured, you can use remote desktop launching mstsc.exe with the /restrictedAdmin switch, which does not require re-entering credentials and does not send the password to the remote computer. Per Microsoft's documentation, this is the safe way to RDP to some random endpoint when you're on such a privileged account as the one you'd use in SCCM. Can you give us a menu option for Remote Desktop that uses /restrictedAdmin in the right click tools?

Documentation on mstsc.exe : https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc

How it works / why it is needed: https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard?tabs=intune#compare-remote-credential-guard-with-other-connection-options

Using a Remote Desktop session without Remote Credential Guard has the following security implications:

• Credentials are sent to and stored on the remote host

• Credentials aren't protected from attackers on the remote host

• Attacker can use credentials after disconnection

The security benefits of Remote Credential Guard include:

• Credentials aren't sent to the remote host

• During the remote session, you can connect to other systems using SSO

• An attacker can act on behalf of the user only when the session is ongoing

The security benefits of Restricted Admin mode include:

• Credentials aren't sent to the remote host

• The Remote Desktop session connects to other resources as the remote host's identity

• An attacker can't act on behalf of the user and any attack is local to the server