How to Fix Remote Desktop Credentials Not Working

avatar May 27, 2026
How to Fix Remote Desktop Credentials Not Working

The Your credentials did not work error in Remote Desktop doesn’t mean your password is wrong. In many cases, the connecting machine is sending stale cached credentials that survived a password change. In some setups, the target machine is in a Windows Hello PIN-based sign-in state that can block Microsoft Account RDP sign-in. Those are the most common triggers, but credential failures have more than a dozen distinct root causes across both machines.

This guide covers the most reliable fixes reported across Microsoft documentation and Q&A, as well as repeated community troubleshooting threads.

Table of Contents

12 Ways to Fix Remote Desktop Credentials Not Working

Find your most likely cause in the table below and go directly to that fix instead of testing every single option.

Cause Side Fix Section
Cached or outdated credentials Client Fix 1
Windows Hello PIN-related Microsoft Account sign-in issue Target machine Fix 2
Wrong username format Client Fix 3
User not in Remote Desktop Users group Target machine Fix 4
Credentials Delegation blocked by GPO Client Fix 5
RDP Security Layer mismatch Target machine Fix 6
Always prompt for password is enabled Target machine Fix 7
Network profile set to Public Target machine Fix 8
LAN Manager Authentication Level mismatch Target machine Fix 9
fDenyTSConnections set to 1 Target machine Fix 10
Blank password restriction Target machine Fix 11
RDP listener not active Target machine Fix 12
Expired RDP certificate Target machine Edge Cases
Non-default RDP port Target machine Edge Cases

Fix 1: Sign in Once with Your Password on the Target Machine (Windows Hello PIN Issue)

This is the most confirmed fix when Remote Desktop credentials did not work on machines using Microsoft Accounts with Windows Hello PIN enabled. In user reports, signing in locally with the account password has restored RDP access after PIN-only usage on the target device.

NOTE: Windows Hello for Business is a separate enterprise feature that does support RDP sign-in through certificate-based deployment via Microsoft Intune or Active Directory Certificate Services. That requires PKI infrastructure, certificate deployment, and domain controller certificates. It is not available in standard consumer or SMB setups and is unrelated to the consumer PIN scenario described here.

Method A: Sign out and sign back in with a password

  1. On the target machine, sign out of the current session.

  2. At the sign-in screen, click Sign-in options.

  3. Select the password option (the key icon).

  4. Sign in with your full Microsoft Account password.

  5. Retry the RDP connection from the connecting machine.

Method B: If the password option is missing or greyed out

  1. At the sign-in screen, click Sign-in options, then click I forgot my PIN.

  2. Authenticate with your Microsoft Account credentials, including any two-factor approval.

  3. When prompted to reset your PIN, confirm the reset. You can re-enter the same PIN.

  4. Retry the RDP connection after the password-based sign-in flow completes.

Method C: Disable the Windows Hello-only sign-in toggle (standalone fix)

Multiple users confirmed that disabling this single toggle resolved the problem without needing to sign out and back in.

  1. On the target machine, go to Settings > Accounts > Sign-in options.

  2. Find For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device.

  3. Turn it off.

  4. Sign out and sign back in using the Microsoft Account password.

Fix 2: Clear Stale Credentials from Credential Manager on the Connecting Machine

Windows Credential Manager on the connecting machine caches TERMSRV/ entries. After a password change, it silently sends the old password on every connection attempt without prompting.

Method A: Remove entries via Credential Manager

  1. On the connecting machine, open Credential Manager. Search for it in Start, or run control /name Microsoft.CredentialManager.

  2. Click Windows Credentials.

    Navigating to Windows Credentials in Credential Manager

  3. Find every entry beginning with TERMSRV/ followed by the remote machine’s name or IP address.

  4. Click each entry, then click Remove.

  5. Reconnect. Windows will prompt for fresh credentials.

Method B: Update the password directly in the RDP client

  1. Open Remote Desktop Connection (mstsc.exe).

  2. Enter the remote machine name or IP address.

  3. Click Show Options.

  4. In Logon settings, click the edit link next to the saved username.

  5. Enter the current password and save.

Method C: Add a manual generic credential when saved credentials won’t persist

Some configurations refuse to retain RDP credentials across sessions. Adding a generic credential entry directly in Credential Manager forces Windows to use it.

  1. Open Credential Manager > Windows Credentials.

  2. Click Add a generic credential.

    Adding a generic credential in Credential Manager

  3. In the Internet or network address, enter TERMSRV/ followed by the remote machine’s hostname or IP address. For example: TERMSRV/103.27.76.117 or TERMSRV/COMPUTERNAME.

  4. Enter the username and password.

  5. Click OK, close Credential Manager, and reconnect.

Fix 3: Use the Correct Username Format

The format of the username you type determines which authentication provider Windows targets. Using the wrong format routes the request to the wrong identity source and fails even with a correct password.

Microsoft documents that for a remote Microsoft Entra joined device, you can sign in with either user@domain.com or AzureAD\user@domain.com, depending on the sign-in path used. If one format fails, try the other.

Account Type Correct Format Notes
Local account COMPUTERNAME\username Example: DESKTOP-AB12\john
Domain account (NetBIOS) DOMAIN\username Example: CORP\johndoe
Domain account (UPN) username@domain.com Example: johndoe@corp.local
Microsoft Account Full email address Example: john@outlook.com
Microsoft Entra joined AzureAD\user@domain.com or user@domain.com Microsoft documents both formats for different sign-in paths. Try the alternate if the first fails.

Fix 4: Add the User to the Remote Desktop Users Group and Verify Logon Rights

An account must belong to either the Remote Desktop Users group or the Administrators group on the target machine. Event ID 4625 with substatus 0xC000015B confirms the user hasn’t been granted the required logon type. Group membership alone can still be blocked by an explicit Deny in User Rights Assignment.

  1. On the target machine, run this command as Administrator:
    net localgroup "Remote Desktop Users" /add "DOMAIN\username" or in PowerShell:
    Add-LocalGroupMember -Group "Remote Desktop Users" -Member "DOMAIN\username"

  2. Open Run and type secpol.msc.

  3. Navigate to Local Policies > User Rights Assignment.

  4. Double-click Allow log on through Remote Desktop Services.

    Allowing log on through Remote Desktop Services in Local Security Policy

  5. Click Add User or Group.

    Adding User or Group in the Local Security Setting

  6. Type the account name, and click OK.

  7. Check the same list for any Deny log on through Remote Desktop Services entry containing the user or their group. Remove any explicit deny entries.

    Looking for Deny log on through Remote Desktop Services entries in Local Security Policy

Fix 5: Fix Credentials Delegation Group Policy on the Connecting Machine

When Credentials Delegation policies on the connecting machine restrict how credentials are forwarded, the RDP client can’t pass authentication even with a correct password. This applies to all account types and is one of the most overlooked causes of credentials not working for Remote Desktop. The fix runs on the client machine, not the remote one.

  1. On the connecting machine, open Run and type gpedit.msc.

  2. Navigate to Computer Configuration > Administrative Templates > System > Credentials Delegation.

    Navigating to Credentials Delegation in Local Group Policy Editor

  3. Set Deny delegating saved credentials to Not Configured.

  4. Set Deny delegating fresh credentials to Not Configured.

    Setting Deny delegating saved credentials and Deny delegating fresh credentials to Not Configured

  5. Open Allow delegating saved credentials with NTLM-only server authentication. Set it to Enabled.

    Setting Allow delegating saved credentials with NTLM-only server authentication to Enabled

  6. Click Show beside Add servers to the list and enter TERMSRV/*. Click OK.

    Adding servers to the list in Local Group Policy Editor

  7. Repeat step 5 for: Allow delegating saved credentials, Allow delegating fresh credentials with NTLM-only server authentication, and Allow delegating fresh credentials.

  8. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client.

    Navigating to Remote Desktop Connection Client in Local Group Policy Editor

  9. Set Do not allow passwords to be saved to Not Configured.

  10.  Set Prompt for credentials on the client computer to Not Configured.

    Setting Do not allow passwords to be saved and Prompt for credentials on the client computer to Not Configured

  11. Close the Group Policy Editor and run gpupdate /force in an elevated command prompt.

    Updating Local Group Policy in the Command Prompt

Fix 6: Change the RDP Security Layer via Group Policy on the Target Machine

Multiple users confirmed this fix after all other solutions failed. When the negotiated security layer between client and target can’t agree, authentication is refused before credentials are fully evaluated.

  1. On the target machine, open Run and type gpedit.msc.

  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.

    Navigating to Remote Desktop Session Host's Security in Local Group Policy Editor

  3. Open Require use of specific security layer for remote (RDP) connections.

    Opening the Require use of specific security layer for remote (RDP) connections entry in Local Group Policy Editor

  4. Set it to Enabled. In the dropdown, select RDP as the Security Layer.

    Setting the Require use of specific security layer for remote (RDP) connections to Enabled and setting the Security Layer to RDP

  5. Click OK, then run gpupdate /force in an elevated command prompt.

Fix 7: Disable “Always Prompt for Password” on the Target Machine

When this policy is enabled on the remote machine, it overrides saved credentials on the client and forces a re-authentication prompt. That prompt fails silently, producing the credentials error rather than a visible password dialog.

  1. On the target machine, open Run and type gpedit.msc.

  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.

  3. Open Always prompt for password upon connection.

    Navigating to Always prompt for password upon connection in Local Group Policy Editor

  4. Set it to Disabled or Not Configured.

    Setting Always prompt for password upon connection to Not Configured

  5. Sign out and back in, or run gpupdate /force.

Fix 8: Change the Network Profile from Public to Private on the Target Machine

When the target machine’s network profile is set to Public, Windows blocks incoming RDP connections. Microsoft’s RDP troubleshooting guidance treats network profile and firewall configuration as valid causes of connection failure. This is a common find when everything else in the setup looks correct.

  1. On the target machine, open Settings > Network and Internet > Status.

  2. Click Change connection properties.

  3. Set the Network Profile to Private.

Fix 9: Set the LAN Manager Authentication Level on the Target Machine

An authentication level mismatch between the connecting machine and the remote machine causes credential rejection at the NTLM negotiation layer, whether the password is correct or not.

  1. On the target machine, open Run and type gpedit.msc.

  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

    Navigating to Local Policies' Security Options in Local Group Policy Editor

  3. Open Network security: LAN Manager authentication level.

    Navigating to Network security LAN Manager authentication level in Local Group Policy Editor

  4. Set it to one of these three confirmed working values: Send NTLMv2 response only, Send NTLMv2 response only. Refuse LM, or Send NTLMv2 response only. Refuse LM and NTLM. Any of the three resolves the mismatch. The most permissive option to try first is Send NTLMv2 response only.

  5. Click OK.

Fix 10: Check the fDenyTSConnections Registry Key and RDP Port

When RDP appears enabled in Settings, but connections still fail, two registry values may be overriding the UI setting. Microsoft documents fDenyTSConnections as the setting that controls whether users can connect remotely using Remote Desktop Services.

  1. Open Registry Editor as Administrator (regedit.exe).

  2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server

    Looking for fDenyTSConnections in Registry Editor

  3. Confirm fDenyTSConnections is set to 0.

  4. Also check:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. If fDenyTSConnections appears here set to 1, a Group Policy is enforcing the block. Changing the local value won’t stick. The GPO must be corrected at its source.

  5. To verify the RDP port hasn’t been changed from the default, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp

    Looking for PortNumber in Registry Editor

  6. Find PortNumber. Switch the display base to Decimal.

    Modifying the PortNumber value in Registry Editor

  7. The value should be 3389. If it is not, your RDP client must connect on that custom port instead, using the format hostname:PORT.

After any registry change, restart Remote Desktop Services: open services.msc, find Remote Desktop Services, right-click, and select Restart.

Fix 11: Address a Blank Password on the Target Account

Windows blocks RDP by default for accounts with no password set. This is a local security policy restriction, not an RDP setting.

  1. Open Run and type gpedit.msc.

  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

  3. Open Accounts: Limit local account use of blank passwords to console logon only.

    Navigating to Accounts Limit local account use of blank passwords to console logon only in Local Group Policy Editor

  4. Set it to Disabled.

    Setting Accounts Limit local account use of blank passwords to console logon only to Disabled in Local Group Policy Editor

Setting a password on the account is the cleaner fix. Allowing blank-password RDP is a security exposure worth avoiding.

Fix 12: Check the RDP Listener Status

Before assuming the problem is credential-related, confirm the RDP protocol is actually listening for connections on the target machine. If the RDP listener isn’t active, the server rejects connections at the protocol level before Remote Desktop credentials are evaluated. This produces errors that look like authentication failures.

Run this command with administrative access on the target machine, via PowerShell Remoting or physical console access:

qwinsta

Look for an entry named rdp-tcp with STATE set to Listen. If it is absent or shows a different state, the RDP service has a protocol failure. Check the registry keys in Fix 10 above and the RDP certificate in the edge cases section below, then restart Remote Desktop Services.

PRO TIP: On every machine you remotely manage, maintain one dedicated local administrator account that doesn’t use a Microsoft Account sign-in. When MSA, PIN, or certificate issues block RDP, a local account bypasses the MSA credential pipeline entirely and gives you a working path in.

For IT support teams doing remote work across multiple machines, HelpWire is worth keeping alongside RDP. Sessions start with a link rather than requiring the remote user to touch any system settings. This means RDP authentication failures on the remote machine don’t block a support session from starting. Keep local admin credentials in a password manager, not cached in Credential Manager on your own machine.

Edge Case Fixes on Credentials Not Working for Remote Desktop

RDP Self-Signed Certificate Failure (Event ID 1057 or 1058)

Open Event Viewer on the target machine and check Windows Logs > System for Event ID 1057 or 1058 from Microsoft-Windows-TerminalServices-RemoteConnectionManager. Those events indicate the self-signed certificate has failed to renew.

  1. Open mmc.exe > File > Add/Remove Snap-in > Certificates > Computer Account.

  2. Navigate to Certificates > Remote Desktop.

  3. Delete the expired self-signed certificate.

  4. Restart Remote Desktop Services in services.msc. Windows regenerates the certificate automatically.

If no new certificate appears, permissions on the MachineKeys folder are broken:

  1. Navigate to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.

  2. Take ownership of the RDP-related key file.

  3. Delete the file.

  4. Restart Remote Desktop Services.

Verify DNS and Machine Targeting

When connecting by hostname, confirm DNS is resolving to the correct machine, particularly after a machine rebuild or IP change.

  1. On the target machine, run IPCONFIG /All in an elevated command prompt and note the actual IP address.

  2. On the connecting machine, run nslookup MACHINENAME and confirm the returned IP matches.

  3. Also run Test-NetConnection -ComputerName SERVER-IP -Port 3389 in PowerShell. If TcpTestSucceeded returns False, the issue is network or firewall, not credentials.

  4. If DNS is stale, connect by IP address directly or update the DNS record.

Account Lockout

Repeated failed RDP attempts trigger the lockout policy on domain-joined machines. Check Event Viewer on the domain controller for Event ID 4625 with Sub Status 0xC0000234. For a local account on the target machine, run:

net user USERNAME

Look for Account active: No in the output. To re-enable:

net user USERNAME /active:yes

Azure AD / Entra ID Joined Machines

Microsoft documents that for a remote Microsoft Entra joined device, you can sign in with user@domain.com or AzureAD\user@domain.com, depending on the sign-in path. If one format fails, try the other. In either case, confirm the user is added to the Remote Desktop Users group on the target machine. Additionally, check the device in the Entra admin center under Devices > the specific device > Local administrators.

How to Read Event Viewer for RDP Login Failures

Event ID 4625 in Windows Security Logs records every failed logon. The Sub Status field identifies the exact authentication failure reason, which eliminates guesswork from diagnosis entirely.

Sub Status Code Failure Reason Fix to Apply
0xC000006A Correct username, wrong password Clear Credential Manager, verify current password
0xC0000234 Account locked out Unlock via admin account or wait for the lockout policy
0xC0000072 Account disabled Enable the account in Computer Management
0xC0000071 Password expired Change the password on the target account
0xC000015B User lacks RDP logon right Add to the Remote Desktop Users group and check the User Rights Assignment

To access these logs: open Event Viewer > Windows Logs > Security > filter by Event ID 4625. In the event details, expand Failure Information and read the Sub Status hex value.

Common Mistakes Made When Windows Remote Desktop Credentials Did Not Work

The first thing most people would do when Windows Remote Desktop credentials did not work is reset their Microsoft Account password. It doesn’t help for the PIN and cached credential scenarios described above. The problem is often not the account password itself but cached credentials or a mismatched authentication state between devices. Resetting the password doesn’t fix the issue because the client continues submitting the older cached credential until the saved TERMSRV/ entry is cleared or replaced.

The second common attempt is toggling NLA on and off. For the Windows Hello PIN issue and stale cached credentials, the NLA state is not the variable. The PIN issue occurs because standard Windows Hello PIN authentication is device-bound and is not forwarded over standard RDP authentication flows. Disabling NLA also weakens connection security without addressing the root cause.

A third approach circulating in some forum threads involves deleting the WinStations registry key. However, this can make the machine inoperable and require a full OS reinstall.

When RDP configuration is the problem itself, rather than a credential formatting issue, a tool built for support work is worth keeping in the toolkit. For example, HelpWire starts sessions by sending a link to the remote user, who runs a lightweight client. You then connect without needing to authenticate against the remote machine’s local accounts at all. When you need to get into a machine whose RDP credential stack is broken, that removes the dependency on RDP being correctly configured.

Frequently Asked Questions

When you see Remote Desktop credentials not working, the most common reason is a stale password cached in Windows Credential Manager on the connecting machine, sent automatically after a password change without prompting. Another common reason is that the target machine last authenticated locally with a Windows Hello PIN, which can block Microsoft Account RDP sign-in in some setups.

A standard Windows Hello PIN is device-bound and isn’t forwarded over standard RDP authentication flows. RDP requires a password-based credential in standard consumer and SMB configurations.


Windows Hello for Business is a separate enterprise feature that does support RDP through certificate-based authentication, but it requires PKI infrastructure, certificate deployment via Intune or AD CS, and domain controller certificates. It isn’t available in standard consumer or SMB setups.

Open Credential Manager from the Start menu, click Windows Credentials, and remove every entry beginning with TERMSRV/ that corresponds to the remote machine. If credentials won’t persist between sessions, use Add a generic credential in Credential Manager and manually enter the TERMSRV/[hostname] address alongside the username and password.

Yes. Credentials Delegation settings under Computer Configuration > Administrative Templates > System in Group Policy on the connecting machine control whether credentials are forwarded at all. Deny delegating saved credentials or Deny delegating fresh credentials set to Enabled blocks authentication silently. Setting both to Not Configured and enabling TERMSRV/* under Allow delegating saved credentials with NTLM-only server authentication resolves this.

Clear Credential Manager entries on the connecting machine and retry. If the connection still fails, run Test-NetConnection -ComputerName SERVER-IP -Port 3389 in PowerShell. If TcpTestSucceeded returns True but credentials still fail, the problem is on the target machine. If it returns False, the issue is the network or the firewall. Once on the target machine, read Event ID 4625 in the Security Log to identify the exact failure reason.

HelpWire
4.6

Empower remote support with free simple remote desktop software.

Visit site
Price: Free
Supported systems: Windows, macOS, Linux
HelpWire
Cookie
Electronic Team uses cookies to personalize your experience on our website. By continuing to use this site, you agree to our cookie policy. Click here to learn more.