Windows 10 2004/20H2 and the broken 'Credentials Manager': Root Cause and Workaround – Part 1

[German]I bring up an unpleasant topic again. The Credentials Manager is unusable on Windows 10 May 2020 Update (version 2004) and Windows 10 20H2. This is because Credentials Manager forgets credentials, which affects all applications that use this feature.


Advertising

Problem: Broken credentials management

Credentials Manager allows Windows to store credentials in a secure safe. It's actually a cool thing, since the stored credentials can be used to log on to websites, connected applications and networks. This is used by Outlook, OneDrive, browsers and other software to log on to accounts. In addition, credential management allows you to view and delete these credentials. Microsoft has published this article, which shows the scope with the feature.

The problem, however, is that Windows developers have a fatal tendency to break functions of the operating system via (feature) updates. Since Windows 10 version 2004, the credential management is simply broken and does not work anymore. I had already taken up this topic in mid-August 2020 in the blog post Windows 10 2004: 'Credentials Manager' broken [Workaround] and asked for experiences. In the comments a number of blog readers took up this issue and described their experiences. The comment here from my German blog is typical for the problem:

After the last update: My Outlook loses all passwords every 6 to 7 hours and then I have to re-enter the PW for each account. Also the domain is regularly overwritten with mail.outlook365, which I have to re-enter again. With MS-Cloud, Google etc. I have to log in again after each restart…

This can be extended to other software – also VPN clients etc. – passwords have to be entered again and again. Well, bad tongues claim anyway that Windows 10 is more occupational therapy than operating system – but I don't want to support that, otherwise it will be taken as an insult to majesty again. But I can imagine that it's really annoying somewhere, having to type in new passwords all the time. So smart users stay on Windows 10 version 1909, because that's where it works.

Suspicion: Local accounts are to blame

In the comments to the(German edition of my) blog post Windows 10 2004: 'Credentials Manager' broken [Workaround] there are several messages that users with local user accounts are affected. Here a voice:

Here two PCs are in use with local user accounts only. I can only implicitly state that I am affected by the problem.

In the comments to the English language blog post, users are quite pissed off and one suspects that it might have something to do with the accounts in Windows.


Advertising

Call me paranoid, but many of the users I support are not part of any domain and log into their Win10 computer with a local account. Is this an attempt by Microsoft to "force" users to login with a known Microsoft account — for easier tracking ;D

My laptop uses a Microsoft account login and has had no problems after the May v2004 update. It does have newer hardware than this desktop; surely there isn't a subtle push to upgrade all hardware too.

Then user Richard posted this comment and says that it is not a bug, but a feature that requires a Microsoft account.

Proposal for workarounds?

The articles then suggested that affected users should upgrade a local user account to a Microsoft account. If you are traveling with a Microsoft account, you should downgrade it to a local user account. Then upgrade this account again and enter the passwords again. Swiss blog reader Michael Bonjour has described this in more detail in this comment (thanks for that).

Michael explains in his comment that the Microsoft account must be confirmed. Just read his comments in the corresponding comment thread. I plead however for testing the following section including the test and adjustment of the registry key outlined there.

A test for a broken API …

User Kevin has left a comment with a note that should be tried out by all concerned persons. On GitHub, there is a Windows program called DPAPITest that does not need to be installed and runs with local user rights. This application tests whether the user account in question is affected by a problem caused by 'the last Windows update' (whatever the last update statement is). It runs that a broken manifest causes the Data Protection API to stop working.

DPAPITest
(Results of the DPAPITest program)

Kevin then posted the above screenshot of the test procedure. If the errors are reported as above, the DP-API is broken due to the broken manifest, the passwords stored in the credential manager can no longer be used successfully by applications.

… and a fix via registry

User AyrA.ch posted this post in Microsoft Answers with an explanation of the error. The encryption by a user key does not work with DPAPI anymore, you have to use the system key. Therefore AyrA.ch has redirected this by a registry intervention. To do this, the registry editor must be started with administrative permissions and then to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb

can be navigated. There, a 32-bit ProtectionPolicy DWORD value must be created and set to 1 (the value is also discussed here). This should cause the passwords to be retained after a Windows restart and the above mentioned test tool should also report everything OK. Maybe affected persons can test this.

Article series:
Windows 10 2004/20H2 and the broken 'Credentials Manager': Root Cause and Workaround – Part 1
Windows 10 2004/20H2 and the broken 'Credentials Manager': Cause and Workaround – Part 2

Similar articles:
Windows 10 2004: 'Credentials Manager' broken [Workaround]
Windows 10 forgets certificates during upgrade
Microsoft confirms certificate loss on Windows 10 upgrades


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in issue, Windows and tagged , . Bookmark the permalink.

3 Responses to Windows 10 2004/20H2 and the broken 'Credentials Manager': Root Cause and Workaround – Part 1

  1. Tarmo says:

    Hello!
    Vindovs 20H2.
    Several restarts done, and looks like passwords are where they must be!
    But i run this DPAPITest.exe again and last two things remain still red and Problem…..
    Best regards,
    Tarmo

  2. Michael Overholser says:

    When I run the tool, I get the following error when I click on step 1 button, am I missing something? (I've done it at both run as user, and as administrator, both throw the same error):

    Have to post this as a link to pastebin, as a spam filter thinks I'm trying to hack the website…

    https://pastebin.com/sL6Gvrhr

Leave a Reply

Your email address will not be published. Required fields are marked *