Fix ‘Windows Defender Credential Guard’ Blocking RDP Connections

remote desktopwindows-11

Recently when running a Remote Desktop Connection under this Windows version

OS Name Microsoft Windows 11 Pro
Version 10.0.22621 Build 22621
Other OS Description Not Available
OS Manufacturer Microsoft Corporation

I can no longer use the saved RDP credentials and every connection gives this message:

Upon google'ing, I've tried editing registry values, policy changes, rebooting etc.,… but nothing is working.

I'd like to use Remote Desktop without having to manually enter my credentials each time!

Any ideas?

Best Answer

I found a solution that doesn't require modifying registry or policy to disable the new Credential Guard.

I went through my TERMSRV saved credentials and removed them, and re-added with cmdkey commands.

To list saved credentials:

cmdkey /list:TERMSRV/*

To delete a saved credential:

cmdkey /delete:TERMSRV/<targetNameOrIp>

To add a credential that will actually work with CG turned on:

cmdkey /generic:TERMSRV/<targetNameOrIp> /user:<username> /pass:<password>

I was even able to save passwords for microsoft accounts which use email@address for usernames.

All credit for this solution goes to the user informatik01 on microsoft forums

According to informatik01, passwords saved through the RDP UI end up as "Domain" type credentials and aren't compatible with CG. Passwords saved through cmdkey /generic flag ends up as "Generic" type, and DO work with CG enabled.

Related Solutions

Windows 7 Remote Desktop – Save Credentials Not Working

i found the solution. It was at the same time both subtle, and obvious.

As mentioned in the question, when i was modifying the following Remote Desktop Connection Client Group Policy settings:

Prompt for credentials on the client computer
Do not allow passwords to be saved

i was checking them on the server:

enter image description here

i thought it would be the server that dictates what the client is allowed to do. Turns out that is completely wrong. It was @mpy's answer (while incorrect), which led me to the solution. i shouldn't be looking at the RDP client policy on the RDP server, i need to look at the RDP client policy on my RDP client machine:

enter image description here

On my client Windows 7 machine, the policy was:

Do not allow passwords to be saved: Enabled
Prompt for credentials on the client computer: Enabled

i do not know when these options were enabled (i did not enable them in recent memory). The confusing part is that even though

Do not allow passwords to be saved

is Enabled, the RDP client would still save password; but only for servers below Windows Server 2008.

The truth table of functioning:

Do not allow saved  Prompt for creds  Works for 2008+ servers  Works for 2003 R2- servers
==================  ================  =======================  ==========================
Enabled             Enabled           No                       Yes
Enabled             Not Configured    No                       No
Not Configured      Enabled           Yes                      Yes
Not Configured      Not Configured    Yes                      Yes

So there is the trick. The group policy settings under:

Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection Client

on the client machine need to be configured with:

Do not allow passwords to be saved: Not Configured (critical)
Prompt for credentials on the client computer: Not Configured

The other source of confusion is that while

a domain Enabled policy cannot override a local Disabled
a domain Disabled policy can be overridden by a local Enabled policy

Which again leads to a truth table:

Domain Policy   Local Policy    Effective Policy
==============  ==============  ==============================
Not Configured  Not Configured  Not configured (i.e. disabled)
Not Configured  Disabled        Disabled
Not Configured  Enabled         Enabled
Disabled        Not Configured  Disabled
Disabled        Disabled        Disabled
Disabled        Enabled         Disabled (client wins)
Enabled         Not Configured  Enabled
Enabled         Disabled        Enabled (domain wins)
Enabled         Enabled         Enabled

Windows 10 won’t remember RDP credentials anymore

you can do it with one of the next choices, its up to you which one to use:

1) Start -> Run -> control userpasswords2 press enter. then go to Advanced tab and see Passwords Manager, or something like this, and just delete your old password from there from that resource. Therefore at the next time it will ask you again for new password.

2) Start -> Configuration - Control Panel - Users and Passwords. And the go to Password manager.

3) in the cmd ( Start - Run. and type there "cmd" without quotes ofcourse and press enter. in the cmd type:

net use * /del

and press enter

In the last versions of Windows, passwords stores not in rdp-file, rather than in Credential Manager. To be able to save the password you need to enable the following: start and enter gpedit.msc Navigate to here: Computer Configuration\Administrative Templates\System\Credentials Delegation from the right side choose Allow Saved Credentials with NTLM-only Server Authentication and push enable and add the name of remote computer in format TERMSRV/<computername> push OK and try to connect to remote computer/server with saving the password p.s. You can set * instead of <computername> than you will be able to save password for all servers.

dont forget to do

gpupdate /force

before try to connect

Best Answer

Related Solutions

Windows 7 Remote Desktop – Save Credentials Not Working

Windows 10 won’t remember RDP credentials anymore

Related Question