Introduction
In today’s hyper-connected workplace, credentials are the gateway to enterprise resources. But what happens when they become the weakest link? As IT administrators, we spend time hardening systems and enforcing MFA, yet one overlooked threat vector persists: unmanaged credential storage. That’s where managing Credential Manager using Intune becomes a game changer.
Let’s explore how to take full control over Windows Credential Manager using Microsoft Intune, why it matters, and how to implement it effectively.
What Is Windows Credential Manager?
Windows Credential Manager is a native Windows tool that securely stores and retrieves credentials like usernames, passwords, and certificates used for network authentication, websites, and apps.
Credential types include:
- Windows Credentials: For accessing network shares, remote desktops, etc.
- Web Credentials: Saved by Edge and Internet Explorer.
- Generic Credentials: Stored by third-party applications.
Stored credentials improve user convenience by enabling single sign-on (SSO) experiences. However, when unmanaged, they can introduce security risks. Learn more from Microsoft.
Why Is Credential Manager a Security Risk?
Credential Manager, while convenient, can become a liability:
- Credential Theft: Attackers with local access can dump stored credentials using tools like Mimikatz.
- Stale Entries: Outdated credentials can persist, creating potential backdoors.
- Insecure Storage: Without additional protections, credentials are vulnerable to extraction from memory.
To combat these risks, Microsoft recommends using Credential Guard, a virtualization-based security (VBS) feature that isolates secrets from potential attackers.
How Are Credentials Saved by Default?
By default, Windows stores credentials in the user profile via the Credential Manager UI or via command line using cmdkey. These credentials are retained unless:
- The system is wiped or the profile is reset.
- Group Policy or MDM settings restrict storage.
To review saved credentials:
CMD:
control /name Microsoft.CredentialManagerOr, use PowerShell:
cmdkey /list
How to Remove Existing Credentials
Besides enabling Device Guard, cached and outdated credentials may cause performance issues for the user. To resolve this, remove the stored credentials.
Remove specific credentials
This script deletes all the specified credentials listed in $target
$target = "legacyserver01"
Start-Process -FilePath "cmdkey.exe" -ArgumentList "/delete:$target" -NoNewWindow -WaitRemove all the credentials on Credential Manager
This script deletes all generic credentials listed by cmdkey:
$creds = cmdkey /list | Where-Object { $_ -match "Target:" } | ForEach-Object {
($_ -split "=")[1].Trim()
}
foreach ($target in $creds) {
Write-Host "Deleting credential: $target"
cmdkey /delete:$target
}Deploy the chosen Script via Intune:
Comparison: Get-StoredCredential vs cmdkey
| Feature / Criteria | Get-StoredCredential (CredentialManager Module) | cmdkey (Built-in Utility) |
|---|---|---|
| Availability | Requires installation from PowerShell Gallery | Built into all modern versions of Windows |
| Usage Interface | PowerShell-native cmdlets (Get-, New-, Remove-StoredCredential) | Command-line utility (cmdkey /list, /add, /delete) |
| Supported Credential Types | Generic credentials stored via PowerShell or other apps | Primarily generic and domain credentials for Windows authentication |
| Enumerates All Stored Credentials | ✅ Lists credentials created by PowerShell and some by GUI Credential Manager | ❌ Only lists a subset (usually Windows and RDP/domain credentials) |
| Scriptable/Automatable | ✅ Highly scriptable with native PowerShell pipeline support | ⚠️ Scriptable but requires string parsing and external calls |
| Create New Credential | ✅ Yes – New-StoredCredential | ✅ Yes – cmdkey /add:<target> /user:<user> /pass:<pass> |
| Delete Specific Credential | ✅ Yes – Remove-StoredCredential -Target "name" | ✅ Yes – cmdkey /delete:<target> |
| Bulk Credential Management | ✅ Easy to script bulk operations | ⚠️ Possible but harder (requires parsing of command output) |
| Security Context | Runs in current user context, supports secure string password storage | Runs in current user context, plaintext password in some use cases |
| View Passwords | ❌ Does not expose passwords (secure handling only) | ❌ Does not expose passwords |
| Intune / Remote Script Friendly | ✅ Better suited for remote deployment scripts | ✅ Works with Intune scripts, but with limited credential scope |
| Official Microsoft Support | Community-supported module, not officially maintained by Microsoft | ✅ Official Microsoft command-line tool |
| Documentation | Moderate (PowerShell Gallery & GitHub) | ✅ Well-documented on Microsoft Learn |
How to Prevent Users from Saving Credentials using Intune
Implications:
- Users will be prompted for credentials each time they access network resources.
- Single Sign-On (SSO) experiences may be disrupted.
- Compatibility issues may arise with applications relying on stored credentials.
It’s essential to balance security needs with user convenience when implementing these restrictions.
Setup Instructions
Using this PowerShell script on devices will disable Windows Credentials and Certificate-Based Credentials.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableDomainCreds" -Value 1 -Type DWordYou can deploy this script using Intune remediation by utilising the DisableDomainCreds script. Follow this quick guide How to Deploy PowerShell Script via Intune: A Complete Guide for IT Admins
Confirm the Credential Manager Configuration worked
- Open Control Panel → User Accounts → Credential Manager
- Credential Manager opens, but: Adding Credential option on Windows Credentials and Certificate-Based Credentials has been disabled
What Happens When Credential Manager Is Blocked?
- Users prompted every time for credentials.
- No persistence post reboot.
- Outlook or LOB apps may fail without stored credentials.
Conclusion
Managing Windows Credential Manager with Intune goes beyond simply adjusting settings—it fosters a culture of proactive credential hygiene. By combining policies, automation, and user education, IT administrators can strengthen Windows environments against credential theft while balancing security with ease of use.
