Do not allow storage of passwords and credentials for network authentication Intune

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

We use Azure AD joined devices deployed with Endpoint Manager. Our development servers running in another domain environment. But credential manager stores the already expired domain credentials. I want to disable this using this local policy: Network access: Do not allow storage of passwords ... for network authentication.

Can't find the CSP option for this. Can somebody help me to disable this setting with a Configuration profile?

level 1

Just validating, if you manually disable this, does it address the issue?

How does the issue manifest itself and when do you run into it?

(Note that I'm not questioning that this is happening, just looking for more info.)

level 2

Good question, not sure if it helps. Was willing to deploy this to a test laptop. I will test it first tomorrow. Will update you if this works. I think to deploy this with MEM policy I need to run a powershell script.

level 1

Did you figure out how to set that via Intune?

level 2

I would like to know as well - did you end up needing to do PowerShell?

WinSecWiki > Security Settings > Local Policies > Security Options > Network Access > Do not allow storage of passwords and credentials for network authentication

By default Windows offers to remember credentials used in mapping network drives when connecting to some web sites that require authentication and when connecting to Internet service with Windows Live (aka .NET Passport) accounts. Windows stores such credentials in secure registry storage that is ultimately protected by the user’s Windows password used for interactive logon to this computer. You can list stored credentials by going to Control Panel then User Accounts then User Accounts and selecting “Manage your network passwords”. This setting, when enabled, prevents Windows from allowing stored credentials.

Bottom line

Enable this setting on workstations if you wish to prevent users from having Windows store credentials.

Back to top

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

If the value for “Network access: Do not allow storage of passwords and credentials for network authentication” is not set to “Enabled”, then this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Control\Lsa\

Value Name: DisableDomainCreds

Value Type: REG_DWORD
Value: 1

Windows Server 2016 must be configured to prevent the storage of passwords and credentials.

Overview

Details