How’s that for a double negative? Disabling the disabling of password saving. In essence, allowing users to cache/save passwords for SSO (single-sign-on) when authenticating to MED-V workspaces. In MED-V, if the credentials do not match, or you do not check the box to have your credentialsremembered, you are presented with the standard RDP prompt for access to the virtual machine.
This is not to be confused with the initial MED-V prompt for authentication (first appearing during first-time-setup) which looks like this:
Both RDP and MED-V can allow for the caching of credentials, however, while MED-V only temporarily caches credentials in memory, RDP will cache using the Credential Manager. The MED-V authentication mirrors that of RDP in that the Windows 7 host is connecting via RDP to the Windows XP virtualmachine. Depending on how you have configured MED-V settings for authentication, the end user is typically prompted at some point to enter their password, either the first time MED-V is started or the first time that they try to open a published application. If LogonStartEnabled has been configured,it will happen when MED-V starts in the user session. Otherwise, it will occur when you first launch a published MED-V application. Caching credentials seems like it would make sense as it does improve the user experience, but there are trade-offs.
MED-V has a special credential manager that helps to avoid the above inconvenience. It allows you to control aspects of credential caching including:
Pre MED-V Workspace Deployment
While you are creating the MED-V workspace package, you can modify the PowerShell (though the New-MedvConfiguration cmdlet) by setting the UxCredentialCachingEnabled to either 1 or 0. This simply tells MED-V whether or not the “Remember My Credentials” will be in place for MED-V FTS and RDPauthentication prompts.
After MED-V Workspace Deployment
The MED-V Credential component cannot override the Group policy Remote Desktop Connection Client “Do not allow passwords to be saved” value. This is represented in the registry by the DisablePasswordSaving value. One way you can set this post-deployment is by modifying this policy. This policy controls whether the password saving check box appears on the RDP client dialog window and whether the MED-V credential prompt is displayed.
My favorite way of disengaging credential caching altogether is by changing the UxCredentialCacheEnabled in WMI to FALSE.
The WMIC command easily can do this:
WMIC /namespace:\\root\Microsoft\Medv PATH setting set uxCredentialCacheEnabled=FALSE
After that, the option to save the password will no longer be available:
If you also want to manually leverage the RDP policy to DisablePasswordSaving, you can do so by going to the following registry key:
Play it Safe
While users prefer caching the credentials to avoid retyping in the credentials, there are risks associated with doing so. When credential caching is enabled, the end user’s password is stored in a reversible format through CredMan (the Windows Credential Manager.) This opens up the user to potential issues should amalicious program somehow get on to that system and is able to run as SYSTEM. The credentials could then be retrieved. The only way to reduce this exposed surface area is by setting DisablePasswordSaving to Enabled and modifying the UxCredentialCacheEnabled property.
Ahhh, this issue, as you know, is near and dear to me...
Is there a way to deploy the WMIC method of disablement via a GPO to the Windows 7 host? I can always resort to the REG key listed if I must but it is a little overboard in what it does vs. the WMIC command.
Just looking for the easiest way to get this setting out to my users.