The Your credentials did not work error in Remote Desktop doesn’t mean your password is wrong. In many cases, the connecting machine is sending stale cached credentials that survived a password change. In some setups, the target machine is in a Windows Hello PIN-based sign-in state that can block Microsoft Account RDP sign-in. Those are the most common triggers, but credential failures have more than a dozen distinct root causes across both machines.

This guide covers the most reliable fixes reported across Microsoft documentation and Q&A, as well as repeated community troubleshooting threads.

Table of Contents

Find your most likely cause in the table below and go directly to that fix instead of testing every single option.

Cause	Side	Fix Section
Cached or outdated credentials	Client	Fix 1
Windows Hello PIN-related Microsoft Account sign-in issue	Target machine	Fix 2
Wrong username format	Client	Fix 3
User not in Remote Desktop Users group	Target machine	Fix 4
Credentials Delegation blocked by GPO	Client	Fix 5
RDP Security Layer mismatch	Target machine	Fix 6
`Always prompt for password` is enabled	Target machine	Fix 7
Network profile set to `Public`	Target machine	Fix 8
LAN Manager Authentication Level mismatch	Target machine	Fix 9
`fDenyTSConnections` set to `1`	Target machine	Fix 10
Blank password restriction	Target machine	Fix 11
RDP listener not active	Target machine	Fix 12
Expired RDP certificate	Target machine	Edge Cases
Non-default RDP port	Target machine	Edge Cases

This is the most confirmed fix when Remote Desktop credentials did not work on machines using Microsoft Accounts with Windows Hello PIN enabled. In user reports, signing in locally with the account password has restored RDP access after PIN-only usage on the target device.

NOTE: Windows Hello for Business is a separate enterprise feature that does support RDP sign-in through certificate-based deployment via Microsoft Intune or Active Directory Certificate Services. That requires PKI infrastructure, certificate deployment, and domain controller certificates. It is not available in standard consumer or SMB setups and is unrelated to the consumer PIN scenario described here.

On the target machine, sign out of the current session.
At the sign-in screen, click Sign-in options.
Select the password option (the key icon).
Sign in with your full Microsoft Account password.
Retry the RDP connection from the connecting machine.

At the sign-in screen, click Sign-in options, then click I forgot my PIN.
Authenticate with your Microsoft Account credentials, including any two-factor approval.
When prompted to reset your PIN, confirm the reset. You can re-enter the same PIN.
Retry the RDP connection after the password-based sign-in flow completes.

Multiple users confirmed that disabling this single toggle resolved the problem without needing to sign out and back in.

On the target machine, go to Settings > Accounts > Sign-in options.
Find For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device.
Turn it off.
Sign out and sign back in using the Microsoft Account password.

Windows Credential Manager on the connecting machine caches TERMSRV/ entries. After a password change, it silently sends the old password on every connection attempt without prompting.

On the connecting machine, open Credential Manager. Search for it in Start, or run control /name Microsoft.CredentialManager.
Click Windows Credentials.
Find every entry beginning with TERMSRV/ followed by the remote machine’s name or IP address.
Click each entry, then click Remove.
Reconnect. Windows will prompt for fresh credentials.

Open Remote Desktop Connection (mstsc.exe).
Enter the remote machine name or IP address.
Click Show Options.
In Logon settings, click the edit link next to the saved username.
Enter the current password and save.

Some configurations refuse to retain RDP credentials across sessions. Adding a generic credential entry directly in Credential Manager forces Windows to use it.

Open Credential Manager > Windows Credentials.
Click Add a generic credential.
In the Internet or network address, enter TERMSRV/ followed by the remote machine’s hostname or IP address. For example: TERMSRV/103.27.76.117 or TERMSRV/COMPUTERNAME.
Enter the username and password.
Click OK, close Credential Manager, and reconnect.

The format of the username you type determines which authentication provider Windows targets. Using the wrong format routes the request to the wrong identity source and fails even with a correct password.

Microsoft documents that for a remote Microsoft Entra joined device, you can sign in with either user@domain.com or AzureAD\user@domain.com, depending on the sign-in path used. If one format fails, try the other.

Account Type	Correct Format	Notes
Local account	`COMPUTERNAME\username`	Example: `DESKTOP-AB12\john`
Domain account (NetBIOS)	`DOMAIN\username`	Example: `CORP\johndoe`
Domain account (UPN)	`username@domain.com`	Example: `johndoe@corp.local`
Microsoft Account	Full email address	Example: `john@outlook.com`
Microsoft Entra joined	`AzureAD\user@domain.com` or `user@domain.com`	Microsoft documents both formats for different sign-in paths. Try the alternate if the first fails.

How to Fix Remote Desktop Credentials Not Working

12 Ways to Fix Remote Desktop Credentials Not Working

Fix 1: Sign in Once with Your Password on the Target Machine (Windows Hello PIN Issue)

Method A: Sign out and sign back in with a password

Method B: If the password option is missing or greyed out

Method C: Disable the Windows Hello-only sign-in toggle (standalone fix)

Fix 2: Clear Stale Credentials from Credential Manager on the Connecting Machine

Method A: Remove entries via Credential Manager

Method B: Update the password directly in the RDP client

Method C: Add a manual generic credential when saved credentials won’t persist

Fix 3: Use the Correct Username Format