Windows 11 22H2 - Can't use saved credential

Andrzej S Ciesiński 96

After upgrade Windows 11 22H2 I Can't use saved credential (Windows Defender Credential Guard does not allow using saved credentials).
Before it works.

David Nelson 106 Reputation points

2022-10-06T00:35:11.013+00:00

I have the same issue. My windows 11 22H2 is up to date.

30 answers

Gary Martyn 261 Reputation points

2022-10-13T15:28:39.653+00:00

So it seems this 'feature' which should be enabled on Windows 11 enterprise has actually been enabled on Win 11 pro as well. - Excellent, great start

The new 'feature' disables a long standing and widely used feature of an essential administrative tool, making it harder and less productive to work - Really loving this update so far!

The only way to disable it is with policy updates or registry settings as the new 'feature' can't be disabled through settings - Nice, I'm sure that won't lead to any errors or problems.

As far as I can see, not a single person has commented online about how helpful this feature is - Did anybody actually want it?

Many people are now removing this and potentially disabling more than needed, thus actually making systems less secure. - Awesome

So basically a feature it seems no one wanted, has lowered productivity, lowered user satisfaction and resulted in less secure systems that are more likely to be compromised. Bravo MS, an absolute triumph!
Please sign in to rate this answer.

52 people found this answer helpful.
John Qizhang Xie 31 Reputation points

2023-03-22T14:32:15.0933333+00:00

like what they did with windows 8. I don't know if those developers themself use windows at all?

Giuseppe Carafa 96 Reputation points

2023-04-25T11:12:46.73+00:00

Reg Natarajan 35 Reputation points

2024-02-04T05:10:12.0533333+00:00

I just spent 3 min signing into my Microsoft account just so I could upvote this.

Ovidiu Craciun 0 Reputation points

2024-04-08T16:01:46.7433333+00:00

100% agree with this comment. unfortunately!
Sign in to comment
informatik01 156 Reputation points

2023-02-19T18:49:42.94+00:00
I have found a simple working solution that does not involve manually editing Windows Registry keys and other boring actions. The only thing you need is to use the built-in cmdkey tool and problem solved.

Solution (TL;DR)

Here is the only step you need to perform at Windows Command Prompt:

cmdkey /generic:TERMSRV/<targetname> /user:<username> /pass:<password>

That's it.

After that you can connect to your target machine using Windows Remote Desktop client and no password will be asked. I now again enjoy the comfort of immediate Remote Desktop connections without annoying credential prompts 😃.

Example

You want to connect to a machine at IP address 10.10.10.10 with the username Donald and the password qwerty. So add the following generic TERMSRV credentials:

cmdkey /generic:TERMSRV/10.10.10.10 /user:Donald /pass:qwerty

~

Additional info

It is important to add specifically GENERIC credentials. I have noticed that after using the related checkbox in Remote Desktop Connection tool ("Allow me to save credentials"), it actually works and saves the provided credentials, BUT it saves them with the type "Domain Password" and this does not work (you will see "Windows Defender Credential Guard does not allow using saved credentials" etc).

You can check the type of your saved TERMSRV credentials it by executing the following command (using asterisk * to list everything):

cmdkey /list:TERMSRV/*

But when you add a GENERIC credentials - it works and Windows Defender has no objections about that ))
And now, after adding the generic credentials, when you execute cmdkey /list:TERMSRV/* command you will see this:

Notice how the Type is now Generic.

BTW if you wish you can delete the previously added credentials, e.g.:

cmdkey /delete:TERMSRV/10.10.10.10

~

Technical documentation

The official Microsoft documentation for cmdkey tool: cmdkey

Microsoft Win32 API documentation for wincred.h C header file, where you can see different types of credentials: CREDENTIALA structure (wincred.h)
Please sign in to rate this answer.

31 people found this answer helpful.
John Drescher 10 Reputation points

2023-03-06T20:14:40.5033333+00:00

Thank you. I had recently added a long complicated password that is difficult for me to type with correctly (aging hands) because of an attempted brute force attack on my network. Having to type in that long password leads to a lot of frustration especially when I make a mistake.

Jon 10 Reputation points

2023-03-11T16:59:49.48+00:00

Love a solution that doesn't modify registry or policy, thanks!!

Vinay Kapadia 25 Reputation points

2023-03-29T17:03:23.7533333+00:00

This solution worked beautifully. This should be the way. No need to disable anything, just add the credential like this.

Yiming Wei 0 Reputation points

2023-04-03T17:46:38.3166667+00:00

I'd like to point out that it is possible to left out the domain completely. Also, it seems that one of my machines with 22h2 can properly access domain passwords without tweaking the registry:

I really cannot tell the difference in settings, except it had never used mstsc.exe before the 22h2 update if that makes any difference.

İsa AKYER 10 Reputation points

2023-07-12T05:06:12.5633333+00:00

Working fine... Thank you.

Aakash Garg 10 Reputation points

2023-08-04T21:13:52.16+00:00

Works like a charm..

Also, I tried this with domain name.

you can do this too-

cmdkey /generic:TERMSRV/mymachine.mysite.com /user:Donald /pass:qwerty

Anthony Gerard Hall 1 Reputation point

2023-08-18T11:16:27.1166667+00:00

and what if the IP address is on DHCP, you can't enter a static IP !

Anonymous

2023-09-11T11:49:58.73+00:00

Finally a comment here that is helpfull and is not the standard Microsoft Expert bullshit like "Did you try sfc/scannow, dism/blabla, reinstall your whole pc"

MicrosoftSucks 5 Reputation points

2023-10-21T05:45:09.98+00:00

This does NOT work. Credential Guard still blocks access. cmdkey stores your username as machine name/username so it fails anyways.

dh z 10 Reputation points

2024-01-17T04:30:37.76+00:00

Great, I think the only correct solution is. other methods of modifying Group Policy have no effect at all.

MaineLee 0 Reputation points

2024-03-28T14:37:51.9933333+00:00

The original question did not mention RDP

Isak Wang 0 Reputation points

2024-04-14T14:06:25.8633333+00:00

My savior

James Telfer 0 Reputation points

2024-04-26T15:09:44.13+00:00

One issue - certain special characters in your PW will break the cmdline interpreter
e.g. '< was unexpected at this time'

informatik01 156 Reputation points

2024-04-26T15:28:24.03+00:00

@James Telfer Seriously?

Such constructions like <username> are called placeholders and are supposed to be replaced with REAL values. You should NOT copy them, instead use you real user name and other values instead of them. And when you replace them, you MUST NOT include angle brackets.

It's a special notation to denote placeholders. From the official Microsoft documentation:

Source: Command-line syntax key
Sign in to comment
Brandon Chapman 156 Reputation points

2022-09-29T23:20:31.813+00:00

As much as I hate "throw the baby out with the bathwater" solutions (examples being disabling the Windows Firewall whenever there's a firewall issue instead of taking the time to find the right ports and allow them through it), right now that's about all we have until we have a better understanding of Credential Guard and whether exceptions or a whitelist can be made for certain applications (like RDP).

So for now the "throw the baby out with the bathwater" workaround is to turn off Credential Guard altogether.

You can turn it off with registry changes, a GPO, Intune, or whatever you're using to manage your systems (if anything).

https://learn.microsoft.com/en-us/answers/questions/1021785/windows-11-22h2-can39t-use-saved-credential.html

Easiest way is via the registry:

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.

Add a new DWORD value named EnableVirtualizationBasedSecurity and set its value to 0.
Add another new DWORD value named RequirePlatformSecurityFeatures and set that to 0.

Now go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

Add a new DWORD value named LsaCfgFlags and set it to 0.

Restart your computer.

Again, I don't like solutions/workarounds like this, as Credential Guard is a great idea, but when new features break things, the first thing people are going to reach for is the "Off" switch for it.

Once we get a proper whitelist to make exemptions for Credential Guard (or perhaps to make Credential Manager and RDP compatible with Credential Guard), then I'll no longer recommend turning the feature off.
Please sign in to rate this answer.

18 people found this answer helpful.
Osman Şakir Kapar 16 Reputation points

2022-10-07T12:40:07.11+00:00

Thank you if you find any other solution please notify us.

Osman Şakir Kapar 16 Reputation points

2022-10-07T12:40:43.24+00:00

Thank you if you find any other solution please notify us.

Zoltan Molnar 1 Reputation point

2022-10-12T20:09:20.023+00:00

Thank you very much! It works!

Dustin Meany 11 Reputation points

2022-10-14T17:06:13.583+00:00

Thanks - just the last item is what I needed to allow saved credentials for RDP but to keep the other core isolation features enabled.

Now go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

Add a new DWORD value named LsaCfgFlags and set it to 0.

Restart your computer.

Dániel Tomek 6 Reputation points

2022-11-14T10:10:21.7+00:00

Thanks. I just updated to win11 yesterday (Instantly regret it) and no matter what I did, RDP just wouldn't accept my username/password combo for my office PC. I went to my Win10 laptop and they worked, so the credentials were correct.
I added these 3 values and restarted my PC, RDP works without issues now.

Ha Viet 1 Reputation point

2022-12-13T09:46:48.877+00:00

It's worked with me. Thanks you so much!

May be it's bug of Window 11 after updated.

Ha Viet 1 Reputation point

2022-12-13T09:49:44.533+00:00

It's worked with me. Thanks you so much!

May be it's bug of Window 11 after updated.

Paulie DeCesare 0 Reputation points

2023-02-28T21:37:01.22+00:00

Awesome, worked GREAT. How do you know what new DWORDs to create? When a new thing like this lands on us, are the additional Registry entries public knowledge usually?

Anthony Gerard Hall 1 Reputation point

2023-08-18T11:31:28.2266667+00:00

Regedit does not work.
Sign in to comment
Jonathan Ansell 46 Reputation points

2022-11-23T11:42:22.867+00:00

I've started using the Remote Desktop app from the Microsoft Store.
The credentials appear to save correctly using this.
Please sign in to rate this answer.

8 people found this answer helpful.
Topogigio 16 Reputation points

2022-11-23T17:26:57.1+00:00

You are right, me too.

Maybe a different credential manager implementation?

Taiki Bessho 5 Reputation points

2023-02-02T11:46:57.57+00:00

Yes! The Store app version of the Remote desktop client remembers passwords as we expected. I decided to switch to the app.

Anthony Gerard Hall 1 Reputation point

2023-08-18T11:31:57.9466667+00:00

This does not work.

MicrosoftSucks 5 Reputation points

2023-10-21T05:49:34.2366667+00:00

This is currently the only working method to save creds outside of disabling security features.

The app is 100% pure trash. The only local resource you can use is the clipboard and audio. No plug and play devices, drives or even security keys. You can connect at specific resolutions but it just starts in full screen anyways. Dont mis click when trying to edit the connection. REMOVE is right next to edit and there is NO CONFIRMATION popup. Bye bye settings.

MS doesnt even care anymore
Sign in to comment
Vinay Kapadia 25 Reputation points

2023-03-29T17:04:15.37+00:00

The solution by informatik01 on the first page works great. No need to disable anything, just add the credentials using the method in his post.
Please sign in to rate this answer.

3 people found this answer helpful.

0 comments No comments
Sign in to comment