Is there any GPO that can turn off caching of "generic credentials"

CGMANI 26 Reputation points
2021-07-16T14:44:01.887+00:00

I find it ridiculous that MS has provided group policy to disable network and cert based creds, but NOT generic ones. It seems to be well documented on the internet that these "generic credentials" where O365 stores them, are the number one way 0365 accounts get compromised, and yet MS doesn't see the need to be able to disable the caching of the credentials for the corporate world. Do what you want with the home ****, but at least give admins the ability to secure their environment. I know there are scripts out there to keep clearing them from the vault, but to me that is an unacceptable answer. MS needs to provide a real administrative solution to the issue in the form of a GPO that allows the disablement of generic credentials for the corporate world.

With my rant over, if anyone has figured out a way to disable the caching of generic credentials, especially O365 credentials, I'd appreciate knowing how you did it.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,383 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Hannah Xiong 6,276 Reputation points
    2021-07-19T01:46:51.933+00:00

    Hello @CGMANI ,

    Thank you so much for posting here.

    So sorry for the inconvenience caused. We could enable the group policy "Network access: Do not allow storage of passwords and credentials for network authentication" under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. However, it will not disable the caching of Generic Credentials.

    115711-image.png

    It is suggested that we could also disable the Credential Manager service. In my lab, I disabled the service, and below is the result.

    115703-image.png

    Here is the discussion, and we could kindly have a check.
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/c70c73a3-6403-4f1f-b1df-b225836487c4/when-i-disable-windows-vault-via-group-policy-it-does-not-disable-the-storage-of-generic?forum=winserverfiles

    Thank you so much for your understanding and support.

    Best regards,
    Hannah Xiong


  2. Hannah Xiong 6,276 Reputation points
    2021-07-20T08:08:42.767+00:00

    Hello @CGMANI ,

    You are welcome. Thank you so much for your kindly reply.

    I could totally understand your situation and feeling. And I am sorry for the inconvenience caused since there is no group policy based solution for our requirement.

    I would suggest you contact Microsoft Customer Services and Support to see whether we could get an efficient solution:

    https://support.serviceshub.microsoft.com/supportforbusiness

    Greatly appreciate your understanding and support.

    Best regards,
    Hannah Xiong

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.