71

Recently when running a Remote Desktop Connection under this Windows version

OS Name Microsoft Windows 11 Pro
Version 10.0.22621 Build 22621
Other OS Description Not Available
OS Manufacturer Microsoft Corporation

I can no longer use the saved RDP credentials and every connection gives this message:

guard

Upon google'ing, I've tried editing registry values, policy changes, rebooting etc.,... but nothing is working.

I'd like to use Remote Desktop without having to manually enter my credentials each time!

Any ideas?

vengy
  • 1,280

5 Answers5

120

I found a solution that doesn't require modifying registry or policy to disable the new Credential Guard.

I went through my TERMSRV saved credentials and removed them, and re-added with cmdkey commands.

To list saved credentials:

cmdkey /list:TERMSRV/*

To delete a saved credential:

cmdkey /delete:TERMSRV/<targetNameOrIp>

To add a credential that will actually work with CG turned on:

cmdkey /generic:TERMSRV/<targetNameOrIp> /user:<username> /pass:<password>

I was even able to save passwords for microsoft accounts which use email@address for usernames.

All credit for this solution goes to the user informatik01 on microsoft forums

According to informatik01, passwords saved through the RDP UI end up as "Domain" type credentials and aren't compatible with CG. Passwords saved through cmdkey /generic flag ends up as "Generic" type, and DO work with CG enabled.

TechnoCore
  • 2,460
  • 2
  • 20
  • 17
11

I was able to automatically connect using saved credentials by applying these steps from the link supplied in John's answer:

For now the "throw the baby out with the bathwater" workaround is to turn off Credential Guard altogether. [...] Once we get a proper whitelist to make exemptions for Credential Guard (or perhaps to make Credential Manager and RDP compatible with Credential Guard), then I'll no longer recommend turning the feature off.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.

Add a new DWORD value named EnableVirtualizationBasedSecurity and set its value to 0.

Add another new DWORD value named RequirePlatformSecurityFeatures and set that to 0.

Now go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

Add a new DWORD value named LsaCfgFlags and set it to 0.

Restart your computer.

Re-enter your credentials for the remote computer. It appears that Win22H2 upgrade may have also fubarred your saved credentials. You you may need to re-enter them.

ndemou
  • 1,280
  • 1
  • 13
  • 21
vengy
  • 1,280
5

You can use RDCMan which does save passwords.

RDCMan is a tool for managing many RDP connections and credentials. Originally created for internal use at Microsoft, it was later released to the public, and has now been rolled into the highly-regarded Sysinternals suite of tools, which Microsoft publishes for sysadmins and developers.

RDCMan allows you to create connections, organize them into groups, save and assign credentials, and automatically connect and disconnect individual connections or groups of connections without interference from Credential Guard.

barbecue
  • 1,278
ADM-IT
  • 151
2

as a follow up batch file that asks for a password and saves it (still not a fix) but makes it dead easy to workaround

@echo off
for /f %%i in ('whoami /upn') do set UPNvar=%%i
cls
ECHO %UPNvar%
set /p PW=Password? 
cls
cmdkey /generic:TERMSRV/SERVER.DOMAIN.LOCAL /user:%UPNvar% /pass:%pw%
Henrik Knudsen
  • 21
1

What worked for me was editing the saved RDP file to remove the existing credentials; save it; then edit it again and add the credentials again.

camios
  • 131