Windows Defender Credential Guard does not allow using saved credentials

Publish Date: August 28, 2023

Windows Defender Credential Guard does not allow using saved credentials

This short post helps you resolve the following error:

Your credentials did not work
Windows Defender Credential Guard does not allow using saved credentials

Windows Defender Credential Guard does not allow using saved credentials

Cause of error

Let’s first understand the cause of this error. Windows Defender Credential Guard is a security feature that protects your credentials from being stolen by malicious software or hackers. It uses a virtualization-based security to isolate secrets, such as cached credentials, so that only privileged system software can access them. This feature can prevent the use of saved credentials for remote access to external sources, such as Remote Desktop Protocol (RDP) connections. When you save credentials using the RDP GUI, they are saved as a Domain type, which is not compatible with the credentials guard. So to fix the error, you need to delete the saved credentials, and recreate them with a Generic type, which is compatible with the credentials guard.

How to fix the error

Many forums or guides suggest disabling Windows Defender Credential Guard to fix this error by using tedious approaches such as registry editing or group policy. However, doing this will reduce the protection of your system from credential theft attacks. In this post, I will tell you how to remediate the situation in a much safer way. You can use one of these two approaches:

Command prompt

  1. To view the saved credential, use this command:
    cmdkey /list:TERMSRV/WebServer

    View the saved credentials using cmdkey

    Here, WebServer refers to the remote computer, which could be either a computer name or IP address. To view all saved credentials, you could replace WebServer with an asterisk (*). You can see the credential is currently saved as a domain type. Unfortunately, cmdkey doesn’t allow updating the existing credentials so deleting and recreating a new one is the only supported way.

  2. To delete the credential, run this command:
    cmdkey /delete:TERMSRV/WebServer

    Delete the saved credentials using cmdkey

    The old incompatible credential just got deleted.

  3. Now create a new Generic type credential with this command:
    cmdkey /generic:TERMSRV/WebServer /user:[email protected] /pass:YourSecretPass

    Create a generic credential using cmdkey

    That’s it. You just created a Generic credential for the target remote computer which is compatible with the Windows Defender Credential Guard. You can now connect your remote computer using RDP and the error should go away.

PowerShell method

The PowerShell method lets you recreate credentials without specifying the existing username and password. We can securely store the current username and password in variables and dispose them once done. To use PowerShell, you need to install the credentials manager PowerShell module. Follow these steps:

  • Install the credential manager PowerShell module with this command:
    Install-Module -Name CredentialManager -Force

    This command will install the credentials manager PS module from PSGallery. If you see a warning message about untrusted remote registry, press Yes to accept the warning.

  • Now run these PowerShell commands in the same order:
    $user = (Get-StoredCredential -Target "TERMSRV/WebServer" -AsCredentialObject).Username 
    $pwd = (Get-StoredCredential -Target "TERMSRV/WebServer" -AsCredentialObject).Password 
    Remove-StoredCredential -Target "TERMSRV/WebServer" 
    New-StoredCredential -Target "TERMSRV/WebServer" -UserName $user -Password $pwd -Type Generic | Out-Null 
    Remove-Variable -Name user, pwd

    Delete and recreate a stored credential with PowerShell

    These commands store the existing username and password to variables, delete the existing credential and finally creates a compatible (generic) credential. If you do not want to use the existing credentials due to any reason, you can directly delete the existing one and create a new credential by using the -UserName and -Password parameters. Remember, the parameter which makes a difference here is the -Type Generic.

  • To view the newly created credential, use this command:
    Get-StoredCredential -Target "TERMSRV/WebServer"

    View the saved credentials using PowerShell

    Once the Generic credential is recreated, the Windows Defender Credential Guard does not allow using saved credentials error should go away.

Well, that’s it for this post. Let me know which method you find interesting and why.

Microsoft Certified | Cisco Certified

1 Comment

Leave a Reply