[German]It has recently become known that remote desktop connections (RDP access) can also use old, revoked passwords from the cache for connections. Some people see this as a security risk. Microsoft has been informed by the security researcher, who discoved this behavior. However, Microsoft does not want to change this situation.
A blog reader pointed out here in the blog in the discussion area (thanks for that) that RDP remembers old passwords locally encrypted in a cache. This means that under certain circumstances, RDP logins can take place under Windows with an old, outdated password (because it was changed in the cloud). Dan Gookin picked it up on Arstechnica in the article Windows RDP lets you log in using revoked passwords.
Windows RDP connections
The proprietary Remote Desktop Protocol (RDP) is implemented in Windows to support RDP connections. If the user has logged on to a computer via Remote Desktop Protocol (RDP), they can control the computer in question remotely.
RDP connections use cached login data
Security researcher Daniel Wade has now noticed that the RDP connections use the access data for Microsoft accounts from a cache. This means that passwords that have been changed and thus recalled as invalid remain valid.
The scenario of logging in with a revoked password via RDP occurs on Windows computers that are logged in with a Microsoft or Azure account and configured so that remote desktop access is enabled. In this case, users can log in via RDP with a dedicated password that is validated against a locally stored credential. Alternatively, users can log in using the credentials for the online account that was used to log in to the computer.
Microsoft does not want to change anything
Wade states that this mechanism also makes it possible to log in with old passwords (even from new computers) and sees this as a "breach of trust". After all, what do you do if you suspect that an account password may have been compromised? You change the password to change the access, but this does not work due to caching – the old access data continues to work.
It seems that the end user cannot recognize the problem, and Microsoft has not pointed it out – Redmond only added a note after the security researcher reported the issue. Daniel Wade reported the behavior to the Microsoft Security Response Center at the beginning of April 2025.
Microsoft's feedback was that this behavior is a design decision. This is to ensure that at least one user account is always able to log in, regardless of how long a system has been offline. For Microsoft, the behavior does not meet the definition of a security vulnerability. The company therefore has no plans to change the behavior.
Microsoft told Wade that he was not the first person to report the "problem". A security researcher had already pointed out the issue in 2023. Microsoft's statement was: "We originally considered a code change for this issue, but upon further review of the design documentation, code changes could impact compatibility with features used by many applications."
The working solution is (see), set Interactive logon via GPO to Number of previous logins that are cached (if the domain controller is not available) = 0. Then the user always has to authenticate online against a DC, as the credentials are not stored.
If the computer is offline you can login using cached credentials. For this to work, the user must have logged in at least once on the machine while it was online with valid credentials. So NOT on new computers. And if you then try to go online and access network resources, you'll get denied.
This is normal expected behavior, and as you said in the article you can turn this off using GPO.
I see a trend of security researchers that want to gain publicity by exaggerating. This undermines confidence in the security sector.
There are two situations.
1) you can use computer user logon credentials, same as used for user logon. This is what you speak about.
2) you can save specially rdp credentials (ie on private computer). You have no GPOs for that. And I think this is what is about.
Users not only for RDP are cached. Some time ago I created in AD user with admin rights on computers for support team, they do what they needed to do and I disabled this account and after disabling in AD you are still able to run application as admin providing credentials for this disabled user.