J'ai trouvé a solution that doesn't require modifying registry or policy to disable the new Credential Guard.
I went through my TERMSRV saved credentials and removed them, and re-added with cmdkey commands.
To list saved credentials:
cmdkey /list:TERMSRV/*
To delete a saved credential:
cmdkey /delete:TERMSRV/<targetNameOrIp>
To add a credential that will actually work with CG turned on:
cmdkey /generic:TERMSRV/<targetNameOrIp> /user:<username> /pass:<password>
I was even able to save passwords for microsoft accounts which use email@address for usernames.
All credit for this solution goes to the user informatik01 on microsoft forums
According to informatik01, passwords saved through the RDP UI end up as "Domain" type credentials and aren't compatible with CG. Passwords saved through cmdkey /generic flag ends up as "Generic" type, and DO work with CG enabled.
