Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / Fix: Saved RDP Credentials Didn’t Work on Windows

February 27, 2023 Group PoliciesWindows 10Windows 11Windows Server 2019Windows Server 2022

Fix: Saved RDP Credentials Didn’t Work on Windows

The built-in Windows Remote Desktop client (mstsc.exe) allows you to save the username and password used to connect to the remote computer. Thanks to this, the user doesn’t need to enter a password each time to connect to a known Remote Desktop host. In this article, we’ll look at how to allow using saved credentials for RDP connections in Windows, and what to do if users cannot use saved passwords for Remote Desktop connections (the password is requested every time)

Contents:
  • Allow Saved Credentials Delegation for RDP Connection via GPO
  • Why Windows Does Not Save Remote Desktop Credentials?
  • The Server’s Authentication Policy Doesn’t Allow Connection with Saved Credentials
  • Windows Defender Credential Guard Does Not Allow Saved Credentials

Allow Saved Credentials Delegation for RDP Connection via GPO

By default, Windows allows users to save their passwords for RDP connections. To do it, a user must enter the name of the RDP computer, the username and check the box “Allow me to save credentials” in the Remote Desktop Connection (mstsc.exe) client window. After a user has clicked the “Connect” button, the RDP server asks for the password and the Windows saves it to the Credential Manager (not to the .RDP file).

mstsc rdp client - Allow me to save credentials

The next time you connect to a remote RDP host under the same user, the client will automatically get the saved password from the Windows Credential Manager and use it for RDP authentication.

If there is a saved password for this computer, the following message will appear in the RDP client window:

Saved credentials will be used to connect to this computer. You can edit or delete these credentials.

remote desktop client: Saved credentials will be used to connect to this computer. You can edit or delete these credentials

In most cases, administrators do not recommend users save connection passwords in Windows. For example, in an Active Directory domain, it is better to configure SSO (Single Sign-On) for RDP for transparent authentication.

By default, Windows doesn’t allow a user to use a saved RDP password (credentials) to connect from a computer joined to an Active Directory domain to a host that is in another domain or workgroup. Although the connection password is stored in Credentials Manager, Windows does not allow it to be used and requires the user to enter the password each time. Also, Windows prevents you from using the saved RDP password if you connect with your local account instead of your domain one.

In this case, if you try to connect using the saved RDP password, this error message appears:

Your credentials did not work
Your system administrator does not allow the use of saved credentials to log on to the remote computer CompName because its identity is not fully verified. Please enter new credentials.

Your rdp credentials did not work Your system administrator does not allow the use of saved credentials to log on to the remote computer 

Windows considers the connection insecure since there is no trust between this computer and the remote computer in another domain (or a workgroup).

You can change these settings on the computer you are trying to establish RDP connection from:

  1. Open the Local Group Policy Editor by pressing Win + R -> gpedit.msc;
  2. In the GPO editor, go to Computer Configuration –> Administrative Templates –> System –> Credentials Delegation. Find the policy named Allow delegating saved credentials with NTLM-only server authentication; gpo - Allow delegating saved credentials with NTLM-only server authentication
  3. Enable the policy and click Show; add delegated rdp servers
  4. Specify the list of remote hosts that are allowed to use saved credentials when accessed over RDP. The list of remote computers must be specified in the following format:
    • TERMSRV/server1 — allow to use saved credentials to access a specific computer/server over RDP;
    • TERMSRV/*.woshub.com — allow to establish RDP connections with saved credentials to all computers in the woshub.com domain;
    • TERMSRV/* — allow using a saved password to connect to any remote computer.termsrv record to use rdp delegation credentials
      Tip. Be sure to type the TERMSRV keyword in uppercase.  The computer name must exactly match the one you specified in the RDP client connection field.
  5. Similarly, enable and add your TERMSRV/ values to the Allow Delegating Saved Credentials policy;
    The following registry settings correspond to the above GPO options:

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation]
    "AllowSavedCredentialsWhenNTLMOnly"=dword:00000001
    “AllowSavedCredentials”=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly]
    "1"="TERMSRV/*"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials]
    "1"="TERMSRV/*"
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation]
    “AllowSavedCredentialsWhenNTLMOnly”=dword:00000001
    “AllowSavedCredentials”=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly]
    "1"="TERMSRV/*"
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials]
    "1"="TERMSRV/*"

  6. Check if the following option is disabled Network access: Do not allow storage of passwords and credentials for network authentication (Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options). If this setting is enabled, the user will receive an error when attempting to save the password to the Credential Manager vault:
    Credential Manager Error
    Unable to save credentials. To save credentials in this vault, check your computer configuration. 
    Error code: 0x80070520
    Error Message: A specified logon session does not exist. It may already have been terminated.
  7. Check that the Deny delegating saved credentials policy is disabled (or not configured). Deny GPO policies take precedence over allow ones;
  8. Save the changes and update GPO settings using this command: gpupdate /force

Now, when connecting to the RDP host, the mstsc client will be able to use your saved credentials.

rdp connection window

You can list saved passwords for RDP connections with the command:
cmdkey /list ^| findstr "target=TERMSRV"

cmdkey list termsrv rdp saved credentials in windowss

To clear saved connection passwords, run the command:

For /F "tokens=1,2 delims= " %G in ('cmdkey /list ^| findstr "target=TERMSRV"') do cmdkey /delete %H

You can change the RDP saved credentials policy only on the local computer using the Local Group Policy Editor. If you want to apply these settings on multiple computers in the domain, use the domain GPO configured using the gpmc.msc (Group Policy Management) console.

Why Windows Does Not Save Remote Desktop Credentials?

If you have configured Windows following the instructions above, but your RDP client still prompts you to enter a password each time you try to connect, it is worth checking the following:

  1. Click “Show Options” in the Remote Desktop Connection window and make sure that “Always ask for credentials” option is not checked; uncheck "Always ask for credentials"
  2. If you are using an .RDP file for connection, make sure that the value of ‘prompt for credentials’ parameter is 0 (prompt for credentials:i:0); rdp file: prompt for credentials:i:0
  3. Open the Local GPO Editor (gpedit.msc) and go to Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client.  The Do not allow passwords to be saved and Prompt for credentials on the client computer” options must be not set or disabled. Also, make sure that this policy setting is disabled in the resulting Group Policy on your computer (you can create an HTML report with the applied GPO settings using the gpresult command); disable the policy "Do not allow passwords to be saved"
  4. Delete all saved passwords from the Windows Credential Manager.  Type control userpasswords2 and in the User Accounts window go to the Advanced tab and click Manage Passwords; manage saved passwords in windows
  5. In the next window, select Windows Credentials. Find all saved RDP passwords and delete them (they start with TERMRSV/…). windows credentials - saved rdp passwords TERMSRV item
    In this window you can manually add credentials for RDP connections. Please note that the name of an RDP server/computer must be specified in the TERMRSV\server_name1 format. Don’t forget to delete saved passwords when you clear the RDP connection history on your computer.add rdp saved credentials
  6. You won’t be able to logon with the saved RDP credentials if the remote server has not been updated for a long time, and when trying to connect to it, the CredSSP encryption oracle remediation error appears.

After that, users will be able to use their saved passwords for RDP connections.

The Server’s Authentication Policy Doesn’t Allow Connection with Saved Credentials

When connecting to an RDP host or RDS farm using saved credentials, an error may appear:

Windows Security
Your credentials did not work
The server’s authentication policy does not allow connection requests using saved credentials. Please enter new credentials.

The server’s authentication policy does not allow connection requests using saved credentials

In this case, you need to disable the GPO option “Always prompt for password upon connection” on the remote server (Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security).

Remote Desktop Host GPO: Always prompt for password upon connection

If this policy is enabled, the RDP host always prompts the client for a password to connect.

You can disable this option through the registry:

REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fPromptForPassword /t REG_DWORD /d 0 /f

Windows Defender Credential Guard Does Not Allow Saved Credentials

After updating to Windows 11 22H2, users began to complain that now they cannot use saved passwords for RDP connections:

Windows Security: Your credentials did not work
Windows Defender Credential Guard does not allow using saved credentials. Please enter your credentials.

Windows Defender Credential Guard does not allow using saved credentials

Windows Defender Remote Credential Guard (which appeared on Windows 10 1607) is supposed to protect your credentials for RDP connections. By default, Windows 11/10 22H2 only allows saved credentials to be used when using Kerberos authentication on the RDP host. If you can’t use Kerberos (the domain controller isn’t available, or you’re connecting to a host in a workgroup), the Remote Credential Guard blocks NTLM authentication.

You can solve this problem by disabling the Credential Guard through the registry:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\LSA" -Name "LsaCfgFlags" -PropertyType "DWORD" -Value 0 -Force

10 comments
8
Facebook Twitter Google + Pinterest
previous post
How to Automatically Disable Wi-Fi When Ethernet is Connected
next post
How to Manually Configure Exchange or Microsoft 365 Account in Outlook 365/2019/2016

Related Reading

Installing Language Pack in Windows 10/11 with PowerShell

September 15, 2023

How to View and Change BIOS (UEFI) Settings...

September 13, 2023

How to Create UEFI Bootable USB Drive to...

September 11, 2023

Redirect HTTP to HTTPS in IIS (Windows Server)

September 7, 2023

Add an Additional Domain Controller to an Existing...

September 6, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Installing Language Pack in Windows 10/11 with PowerShell

    September 15, 2023
  • Configure Email Forwarding for Mailbox on Exchange Server/Microsoft 365

    September 14, 2023
  • How to View and Change BIOS (UEFI) Settings with PowerShell

    September 13, 2023
  • How to Create UEFI Bootable USB Drive to Install Windows

    September 11, 2023
  • Redirect HTTP to HTTPS in IIS (Windows Server)

    September 7, 2023
  • Add an Additional Domain Controller to an Existing AD Domain

    September 6, 2023
  • How to Install an SSL Certificate on IIS (Windows Server)

    September 5, 2023
  • Managing Windows Firewall Rules with PowerShell

    August 31, 2023
  • Fixing ‘The Network Path Was Not Found’ 0x80070035 Error Code on Windows

    August 30, 2023
  • Disable Welcome Message for Microsoft 365 Groups

    August 28, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Updating List of Trusted Root Certificates in Windows
  • Fix: Remote Desktop Licensing Mode is not Configured
  • Configure Google Chrome Settings with Group Policy
  • How to Delete Old User Profiles in Windows
  • How to Backup and Copy Local Group Policy Settings to Another Computer
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Find the Source of Account Lockouts in Active Directory
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top