28

Recently when running a Remote Desktop Connection under this Windows version

OS Name Microsoft Windows 11 Pro
Version 10.0.22621 Build 22621
Other OS Description Not Available
OS Manufacturer Microsoft Corporation

I can no longer use the saved RDP credentials and every connection gives this message:

guard

Upon google'ing, I've tried editing registry values, policy changes, rebooting etc.,... but nothing is working.

I'd like to use Remote Desktop without having to manually enter my credentials each time!

Any ideas?

vengy
  • 755
  • 1
  • 5
  • 12
  • 1
    I just found an easy solution save your password with `cmdkey /generic:TERMSRV/ /user: /pass:` in a question about this feature at the Microsoft forums: [https://learn.microsoft.com/en-us/answers/questions/1021785/windows-11-22h2-cant-use-saved-credential?page=1&orderby=helpful&comment=answer-1177710#answers](https://learn.microsoft.com/en-us/answers/questions/1021785/windows-11-22h2-cant-use-saved-credential?page=1&orderby=helpful&comment=answer-1177710#answers) – drescherjm Mar 06 '23 at 20:20

3 Answers3

40

I found a solution that doesn't require modifying registry or policy to disable the new Credential Guard.

I went through my TERMSRV saved credentials and removed them, and re-added with cmdkey commands.

To list saved credentials:

cmdkey /list:TERMSRV/*

To delete a saved credential:

cmdkey /delete:TERMSRV/<targetNameOrIp>

To add a credential that will actually work with CG turned on:

cmdkey /generic:TERMSRV/<targetNameOrIp> /user:<username> /pass:<password>

I was even able to save passwords for microsoft accounts which use email@address for usernames.

All credit for this solution goes to the user informatik01 on microsoft forums

According to informatik01, passwords saved through the RDP UI end up as "Domain" type credentials and aren't compatible with CG. Passwords saved through cmdkey /generic flag ends up as "Generic" type, and DO work with CG enabled.

TechnoCore
  • 1,652
  • 1
  • 15
  • 17
  • 5
    This worked great on windows 11. Just type "terminal" in the toolbar search and click on the Terminal app... (powershell) – Mr.Black Mar 15 '23 at 15:19
  • this worked great! ty – Nicholas Petersen Mar 25 '23 at 22:37
  • amazing, isn't possible to apply to all? TERMSR cmdkey /generic:TERMSRV/* /user:? – sofsntp Apr 14 '23 at 14:14
  • @sofsntp I'm not sure, but I don't think so. It doesn't seem like cmdkey supports any updates to existing creds, it's only for listing, adding, deleting. It's possible you could add a credential that would trigger some kind of inheritance, again not sure. You could definitely write some fancy PS script that deletes all, tracks target names of each, and re-adds with predefined user / pass. If you had large enough list of existing credentials it might be worth the effort. – TechnoCore Apr 17 '23 at 17:40
  • 4
    If you're more comfortable using a GUI than the command line, it looks like you can do this from Credential Manager as well. Delete from the "Windows Credentials" section, then "Add a generic credential". If you want to script it, the [CredentialManager](https://www.powershellgallery.com/packages/CredentialManager/2.0) module in PowerShell can extract the old password to use when adding the new one: `(Get-StoredCredential -Target "TERMSRV/" -AsCredentialObject).Password` – dansmith65 May 08 '23 at 21:41
  • @TechnoCore Thank you for mentioning me, I am glad it helped – informatik01 May 21 '23 at 01:00
11

I was able to automatically connect using saved credentials by applying these steps from the link supplied in John's answer:

For now the "throw the baby out with the bathwater" workaround is to turn off Credential Guard altogether. [...] Once we get a proper whitelist to make exemptions for Credential Guard (or perhaps to make Credential Manager and RDP compatible with Credential Guard), then I'll no longer recommend turning the feature off.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.

Add a new DWORD value named EnableVirtualizationBasedSecurity and set its value to 0.

Add another new DWORD value named RequirePlatformSecurityFeatures and set that to 0.

Now go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

Add a new DWORD value named LsaCfgFlags and set it to 0.

Restart your computer.

Re-enter your credentials for the remote computer. It appears that Win22H2 upgrade may have also fubarred your saved credentials. You you may need to re-enter them.

ndemou
  • 1,050
  • 1
  • 10
  • 18
vengy
  • 755
  • 1
  • 5
  • 12
  • No. This did not work for me. – salihcenap Dec 22 '22 at 12:06
  • I also needed to re-enter the credentials for the remote computer. It looks like the saved credentials were also fubarred during the Win22H2 upgrade – William Jan 14 '23 at 03:45
  • You may also need to edit the saved RDP file to remove the existing credentials and re-enter them (see answer from @camios below) – ndemou Jan 18 '23 at 06:37
  • 1
    honestly all the answers seem to require that you re-enter your credentials which in some situations is *not acceptable*. I'm thinking of the case where IT sets you up with credentials and you don't actually *know* them. It can be quite a pain to get IT involved, and if you need to access the host immediately you are basically hosed. – Michael Jun 29 '23 at 16:38
0

What worked for me was editing the saved RDP file to remove the existing credentials; save it; then edit it again and add the credentials again.

camios
  • 21
  • 5