When creating a "Host Pass" for an outside agency/vendor to allow for unattended access to one of your local resources, you are almost always required to store a credential for them to access the password-protected machine. When the outside agency selects to "send the credentials" to the screen, the windows 10 machine allows them to reveal the password. This should absolutely not be made possible for them. Control should implement a policy at the connection level that disables this windows feature. Of course, it can be disabled at the Group policy level on the organization's side however this is a useful feature for the organization itself and should not have to be disabled.
Perhaps something as simple as executing the password entry, as soon as it is sent to the machine, would keep them from revealing the password.
Customer support service by UserEcho