How to Disable RDP Password Saving on All Endpoints Using Microsoft Intune

Start by signing into the Microsoft Intune admin center where you'll create the configuration policy. This is your central hub for managing all device policies across your organization.

Open your web browser and navigate to https://endpoint.microsoft.com. Sign in using your administrator credentials that have permissions to create and manage device configuration policies.

Once logged in, you'll see the main dashboard. The interface should display your tenant information and various management options. Take a moment to verify you're in the correct tenant if your organization uses multiple tenants.

Now you'll access the device configuration section where all Windows policies are managed. This is where you'll create the new policy to disable RDP password saving.

In the left navigation pane, click on Devices. This expands the devices menu with several sub-options. Next, click on Configuration under the "Manage devices" section.

You'll see the Configuration page displaying any existing policies. At the top of the page, click the Create button, then select New policy from the dropdown menu.

A "Create a profile" wizard will open. This is where you'll define the platform and profile type for your new policy.

Select the correct platform and profile type to ensure your policy targets Windows devices and uses the modern Settings Catalog approach. The Settings Catalog is Microsoft's recommended method for configuring Windows policies in 2026.

In the "Create a profile" dialog:

• Set Platform to Windows 10 and later
• Set Profile type to Settings catalog

Click Create to proceed to the policy configuration wizard.

The Settings Catalog provides a more intuitive interface compared to the legacy Custom profile method and includes built-in validation for policy settings.

Provide clear identification and documentation for your policy. This helps with management and troubleshooting, especially in large organizations with multiple administrators.

On the Basics tab, fill in the following information:

• Name: Disable RDP Password Saving - Security Policy
• Description: Prevents users from saving Remote Desktop credentials by disabling the 'Allow me to save credentials' checkbox in RDP client. Enhances security by requiring credential entry for each RDP session.

The name should be descriptive enough that other administrators can understand the policy's purpose without opening it. Include keywords like "RDP," "Security," and "Password" to make it searchable.

Click Next to proceed to the configuration settings.

Now you'll locate and configure the specific Windows policy setting that controls RDP password saving. The Settings Catalog organizes thousands of Windows policies in a searchable interface.

On the Configuration settings tab, click + Add settings. This opens the settings picker where you can search for or browse to specific policies.

In the search box, type: Do not allow password saving

Alternatively, you can browse to the setting by expanding: Administrative Templates > System > Group Policy > Continue experiences on this device

Select the checkbox next to "Do not allow password saving" and click Add.

Configure the policy setting to actively prevent password saving in the Remote Desktop client. This is the core security configuration that will be enforced on all targeted devices.

In the Configuration settings list, you'll see the "Do not allow password saving" setting with a toggle switch. Click the toggle to set it to Enabled.

When enabled, this setting modifies the Windows registry to prevent the RDP client from displaying the "Allow me to save credentials" checkbox. Users will be required to enter their credentials for every RDP session.

The setting corresponds to the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving with a DWORD value of 1.

Click Next to proceed to the assignment configuration.

Define which devices or users will receive this security policy. Proper assignment ensures the policy reaches the intended endpoints without affecting systems that shouldn't be restricted.

On the Assignments tab, click + Add groups to select your target audience.

You have several assignment options:

• All devices: Applies to every Windows device enrolled in Intune
• Specific device groups: Target particular departments or device types
• All users: Applies based on user login rather than device
• Specific user groups: Target particular user populations

For maximum security coverage, select All devices or choose specific Azure AD groups that contain your target devices. Click Select to confirm your choice.

Click Next to proceed to the final review.

Perform a final review of all policy settings before deployment. Once created, the policy will begin deploying to assigned devices during their next Intune check-in cycle.

On the Review + create tab, carefully verify:

• Policy name and description are correct
• Platform: Windows 10 and later
• Profile type: Settings catalog
• Setting: "Do not allow password saving" is Enabled
• Assignments: Correct groups are targeted

If everything looks correct, click Create to deploy the policy.

The policy will appear in your Configuration policies list with a status of "Pending" initially, then change to "Succeeded" as devices receive and apply the configuration.

Track the policy deployment status to ensure it's reaching target devices and being applied successfully. Monitoring helps identify any deployment issues early.

Navigate back to Devices > Configuration and locate your "Disable RDP Password Saving" policy in the list. Click on the policy name to open its details.

In the policy overview, you'll see deployment statistics including:

• Succeeded: Devices that successfully applied the policy
• Error: Devices that encountered issues
• Conflict: Devices with conflicting policies
• Not applicable: Devices that don't meet the policy criteria

Click on Device status to see individual device results. This view shows which specific devices have applied the policy and any error details.

Confirm the policy is working correctly by testing the RDP client behavior on a target device. This verification ensures users can no longer save credentials as intended.

On a device that has received the policy (check Device status to confirm), open the Remote Desktop Connection client by running:

mstsc.exe

In the Remote Desktop Connection window, enter any server name or IP address in the "Computer" field. Before clicking Connect, look for the "Allow me to save credentials" checkbox.

The checkbox should be grayed out and unchecked, preventing users from saving their credentials. This confirms the policy is active.

You can also verify the registry setting directly by opening Registry Editor and navigating to:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

Look for the DisablePasswordSaving DWORD value, which should be set to 1.