windows – Are Credentials used in RDP cached on Client?

No, it’s not.

The client prompts for the password using a thing called Cred UI, which passes it off the to Windows security stack called LSA. LSA converts the password into a Kerberos key and attempts to authenticate to a Domain Controller, getting a ticket to the remote machine, and then sending the ticket to the remote machine.

If Kerberos fails it falls back to NTLM and generates an NTLM HMAC challenge from the password, sending it off to the target computer.

If the remote machine accepts either the ticket or the NTLM challenge, both the client and target machine do a key agreement (both sides figure out that they can make up a cryptographic key somehow without showing all their cards to the other side) and the client encrypts the user’s password using that agreed upon key. The target receives the password and decrypts it and then logs the user on.

Technically the client process has given up the password once it left CredUI and it should only be present in the LSA process from then on. The password is then cleared from LSA once it’s been sent in the last leg.

All of this relies on a well known protocol called CredSSP.