Disable Domain credentials error received in Intune

Question

Disable Domain credentials error received in Intune

Paul Barnes 0

I am fairly new to Intune and have setup a custom configuration rule using the OMA-URI ./Device/Vendor/MSFT/Policy/Config/Security/LocalAccounts/DisablePasswordStorage but each time it is applied it errors with error code -2016281112 - 0x87d1fde8.

I got this OMA from doing a Co-Pilot search

Where I have applied Custom rules they all seem to fail as above

Any idea what i am doing wrong if anything?

3 answers

Your answer

Answer 1

Crystal-MSFT 53,991 Microsoft External Staff

@Paul Barnes, Thanks for posting in Q&A. Based on my researching, the CSP is not valid now. Therefore, it is failed. But we can try to change it via registry key.

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\DisableDomainCreds To the following REG_DWORD value: 1

Here is a link with more details for your reference:

https://mbcloudteck.substack.com/p/hklmsystemcurrentcontrolsetcontrollsadisabledoma?r=2jeuoc&utm_campaign=post&utm_medium=web&triedRedirect=true

Note: Non-Microsoft link, just fir the reference.

Hope the above information can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Paul Barnes 0 Reputation points

2025-01-06T08:50:58.0266667+00:00

Thank you for your response Crystal while a registry change will resolve the issue what we are trying to do is to do this centrally with Intune so it affects all of the devices we are looking to change in one go rather than having to walk around multiple machines. I find it strange that this seemingly cannot be resolved using Intune
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2025-01-07T01:19:58.36+00:00

@Paul Barnes, Thanks for the reply. If the registry key is working, we can deploy it via the remediation script which mentioned in the previous link I provide to deploy it to multiple machines via Intune.
Paul Barnes 0 Reputation points

2025-01-07T08:33:54.4466667+00:00

We have tried adding a remediation script which according to Intune has applied to the selected machines but there is no change seen in the registry of those machines and in Defender the recommendation is still showing as outstanding.
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2025-01-08T02:23:57.1866667+00:00

@Paul Barnes, Thanks for the reply. From your description, it seems the registry key is not added. Please check on the detection status and remediation status on the affected device to know if it is applied.

Answer 2

Paul Barnes 0

intune screenshot

I have attached a picture showing the script applied and assigned successfully

Paul Barnes 0 Reputation points

2025-01-08T08:50:48.3733333+00:00

If you cannot see the screenshot let me know and i will put it in a downloadable location
Paul Barnes 0 Reputation points

2025-01-08T08:53:38.26+00:00
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2025-01-09T02:21:02.7+00:00

@Paul Barnes, From the pictures you provided, I notice you configure platform script instead of remediation script.

Which script are you deployed via platform script, detection script or remediation script in my previous post or another script you write?

Try to deploy via remediation script to see if it works. Here is an example for your reference:

https://www.velessoftware.com/deploy-a-remediation-script-using-intune/

Note: non-Microsoft link, just for the reference.
Paul Barnes 0 Reputation points

2025-01-09T11:28:44.49+00:00

I was advised to apply as a Platform script i cannot apply a remediation script as the create option is greyed out (i am guessing this would be due to a licence the machines we are deploying from/to are Windows 10 pro or Windows 11 Business. The script itself is a .ps1 file and if run on an individual machine in powershell (runas admin) the result is:

Registry key 'HKLM:\System\CurrentControlSet\Control\Lsa\DisableDomainCreds' set to 1

but when this is applied in Intune and 'successfully' deployed it does not change the value to 1 and therefore the security recommendations are still outstanding in defender
Paul Barnes 0 Reputation points

2025-01-09T11:29:35.2533333+00:00

if you want i could show you the script we are using?
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2025-01-10T02:13:17.8166667+00:00

@Paul Barnes, Thanks for the reply. Yes, remediation script needs additional license. From your description, I know the script you manually run on the device is working. But when we deploy via Intune, it is not. Please ensure the "Run this script using the logged on credentials" is set as No. If it is already set as this, but not working, please paste your script. to let me check
Paul Barnes 0 Reputation points

2025-01-13T08:47:30.1033333+00:00

Hi Crystal many thanks you don't know how helpful this has been the issue was that the PowerShell file I was using had a straight path to apply this rather than the full script as below:

Can you please confirm if all of the scripts would work in a similar way in that i have 2-3 other items to apply and would like to do this in the same way?

Once again thank you for all your help I have been dealing with MS (3rd Party) support since April to get over this issue!!!
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2025-01-13T09:12:21.5433333+00:00

@Paul Barnes, Thanks for the reply. I am glad the information can help. On my point of view, the script can also work when we have 2-3 other registry keys to add.

Answer 3

@Paul Barnes, Hope things are going well. For our issue, please let me write a brief summary to let others who have the same issue to get the suggestion quickly.

Issue

Setup a custom configuration rule using the OMA-URI ./Device/Vendor/MSFT/Policy/Config/Security/LocalAccounts/DisablePasswordStorage but each time it is applied it errors with error code -2016281112 - 0x87d1fde8.

Suggestions

Based on my researching, the CSP is not valid now. Therefore, it is failed. But we can try to change it via registry key.

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\DisableDomainCreds To the following REG_DWORD value: 1

Deploy registry key via PowerShell script in Intune. User's image Ensure the "Run this script using the logged on credentials" is set as No.

User's image

Thanks for your time and have a nice day!

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Share via

Disable Domain credentials error received in Intune

3 answers

Your answer