{
	"id": "eaf133e4-535b-4474-a6fc-b03c3958884a",
	"created_at": "2026-04-06T01:30:31.261025Z",
	"updated_at": "2026-04-10T03:21:06.43684Z",
	"deleted_at": null,
	"sha1_hash": "b721c4d74bdfde98ccdd2b4afe6249aa90ce4549",
	"title": "Credential Locker Overview",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51443,
	"plain_text": "Credential Locker Overview\r\nArchived: 2026-04-06 01:10:46 UTC\r\nApplies To: Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2\r\nThis topic for the IT professional provides basic conceptual overview information for Credential Locker, and it\r\nserves as a portal to other information. Credential Locker is managed by Credential Manager.\r\nDid you mean…\r\nWindows Vault\r\nCredential Manager\r\nStored User Names and Passwords\r\nCredentials Protection and Management\r\nCredential Locker is a service that creates and maintains a secure storage area on the local computer that stores\r\nuser names and passwords the user saved from websites and Windows 8 apps. Credential Locker is accessed\r\nthrough Credential Manager in Control Panel as part of the local User Account management feature.\r\nCredential management by using Credential Manager is controlled by the user on the local computer. Users can\r\nsave and store credentials from supported browsers and Windows applications to make it convenient when they\r\nneed to sign in to these resources. Credentials are saved in special encrypted folders on the computer under the\r\nuser’s profile. Applications that support this feature (through the use of the Credential Manager APIs), such as\r\nweb browsers and Windows 8 apps, can present the correct credentials to other computers and websites during the\r\nsign-in process.\r\nWhen a website, an application, or another computer requests authentication through NTLM or Kerberos, an\r\nUpdate Default Credentials or Save Password check box is presented to the user. This dialog to request\r\ncredentials saving is generated by an application that supports the Credential Manager APIs. If the user selects the\r\ncheck box, Credential Manager keeps track of the user's name, password, and related information for the\r\nauthentication service that is in use.\r\nThe next time the service is used, Credential Manager automatically supplies the credential that is stored in\r\nCredential Locker. If it is not accepted, the user is prompted for the correct access information. If access is granted\r\nwith the new credentials, Credential Manager overwrites the previous credential with the new one and then stores\r\nthe new credential in Credential Locker.\r\nFor example, if the user adds a Windows credential through Credential Manager, Remote Desktop Connection will\r\ndetect it and populate the dialog box with that credential. If that credential is rejected and the user supplies the\r\ncorrect one on the next attempt, Credential Locker stores the successful credential. Similarly, Internet Explorer 10\r\nsearches Credential Locker for any credentials that are associated with a website where sign in is required. If no\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN\r\nPage 1 of 5\n\ncredentials are found, the user is prompted to sign in and can optionally save the credentials that are entered to\r\nCredential Locker to be used the next time the website is accessed.\r\nIsolating credentials is part of the feature’s architecture. Credential Locker only releases credentials under the\r\nfollowing conditions:\r\nTo Windows Store apps that support the Credential Manager APIs\r\nTo the website that the user elected to store that credential when the browser supports the Credential\r\nManager APIs\r\nNote\r\nThere is no change in how Credential Locker handles credentials for legacy Windows applications.\r\nWindows Server 2012 and Windows 8 introduce the ability to sign in to a computer by using a Microsoft account,\r\nor to connect a domain account on a computer with a Microsoft account. A Microsoft account was formerly\r\nknown as a Windows Live ID account, which uses the form, for example, someone@contoso.com. Using a\r\nMicrosoft account provides user personalization through roaming credentials, which includes website and\r\nWindows Store app sign in information that is stored in Credential Locker.\r\nCredential roaming is enabled by default on non-domain joined computers, making it possible for users to access\r\ntheir Credential Locker through all their trusted Windows devices. The files that compose Credential Locker\r\ncannot be password protected and access to Credential Locker cannot be locked. The Credential Locker roams\r\nwith the user’s Microsoft account, and Windows synchronizes the credentials as sign in occurs.\r\nFollowing are some important behaviors to consider if you use Credential Locker in your enterprise.\r\nCredential management by using Credential Manager is controlled by the user on the local computer.\r\nWindows prevents credentials that are stored in Credential Locker on domain-joined computers from\r\nleaving the enterprise as part of the user profile in the Microsoft account.\r\nCredentials in the Microsoft account will not roam within your enterprise if you are using Credential\r\nRoaming (formerly known as Digital ID Management Service or DIMS).The Roaming User Profiles\r\nfeature incorporates Credential Locker, which might result in credential usage conflicts with Credential\r\nManager. Therefore, we recommend that you choose either Credential Manager which uses Credential\r\nLocker or the Roaming User Profiles in your enterprise design.\r\nCredentials only roam into your enterprise by using a user profile of a Microsoft account if a credential\r\nwith the same username, target, and Windows Store app package ID does not currently exist in your\r\nenterprise.\r\nUsers can take advantage of the ability to save and store the credentials they use when they sign in to different\r\nsystems, including websites and Windows applications. In the supported Windows versions as designated in the\r\nApplies To list at the beginning of this topic, Windows Store apps can also be programmed so that users have the\r\noption to save credentials to Credential Locker. Internet Explorer 10 also provides this functionality.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN\r\nPage 2 of 5\n\nUsers can access their Credential Locker through all their trusted Windows devices as part of their identity user\r\nprofile, but this feature is turned off for domain-joined computers.\r\nWindows Store apps can be programmed to leverage Credential Locker.\r\nCredential roaming is accomplished by synchronizing the user’s profile using the Microsoft account (formerly\r\nknown as the Windows Live ID).\r\nCredential roaming is enabled by default on non-domain-joined computers, and it is disabled on domain-joined\r\ncomputers.\r\nImportant\r\nCredential Manager is controlled by the user on the local computer. The user has the option to locally enable\r\ncredentials storage at any time, even on a domain-joined computer.\r\nCredential Locker supports seamless sign in by using Windows Store apps that use Web Authentication Broker. It\r\nremembers passwords for services like Facebook and Twitter, so the user does not have to enter credentials\r\nmultiple times. This seamless sign-in experience has been extended across the user’s devices that are running\r\nWindows 8.1.\r\nFormerly, when multiple credentials were stored for the same resource, there was no way to specify a “default”\r\ncredential. In Windows 8.1, the user can designate a default credential for a particular resource. And to assist with\r\nthe user’s choice, credentials stored in Credential Locker display the date when they were last used.\r\nThe following list describes functionality that is present in Windows Server 2008 R2 and Windows 7, but has been\r\nremoved in Windows Server 2012 and Windows 8.\r\n1. Automatically loading Credential Locker information to and from USB devices is not supported.\r\n2. There is no UI support for displaying multiple lockers, creating lockers, removing lockers, deleting lockers,\r\ncopying lockers, or viewing the advanced properties for Credential Locker.\r\n3. There is no UI support for adding or editing web passwords in Credential Manager. Passwords can be\r\nchanged through the application that requires them.\r\n4. There is no support for locking or unlocking Credential Locker. To facilitate roaming, access to Credential\r\nLocker cannot be locked.\r\n5. There is no support for password protecting Credential Locker.\r\n6. The Credential Locker feature manages the release of a user’s credentials to the correct application or\r\nwebsite. Users cannot be prompted to consent the release of a specific credential to any other.\r\nFor a list of deprecated features in the Windows Server 2012, see Features Removed or Deprecated in Windows\r\nServer 2012.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN\r\nPage 3 of 5\n\nYou can use the Security Policy setting Network access: Do not allow storage of passwords and credentials for\r\nnetwork authentication to control Credential Manager. If you enable this setting, Credential Manager does not\r\nstore passwords or credentials for domain authentication on the computer.\r\nBecause Windows Store apps can be programmed to support Credential Locker, there is no way for the IT\r\nadministrator to control the storage of credentials from these apps on the local computer. You can, however,\r\ncontrol what apps can run in your enterprise by using application control features such as AppLocker.\r\nCredential Manager is a Control Panel app that is available in all editions of the supported Windows versions as\r\ndesignated in the Applies To list at the beginning of this topic. There are no additional software requirements to\r\nuse this feature.\r\nThe following table provides additional resources for Credential Manager, Credential Locker, and related\r\ntechnologies.\r\nContent type References\r\nProduct evaluation Not available\r\nPlanning Not available\r\nDeployment Not available\r\nOperations Not available\r\nTroubleshooting Not available\r\nSecurity Not available\r\nTools and settings\r\nCredential Manager\r\nCredential Manager Reference\r\nCommunity resources\r\nProtecting your digital identity\r\nSigning in to Windows 8 with a Windows Live ID\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN\r\nPage 4 of 5\n\nContent type References\r\nRelated technologies\r\nAppLocker Overview\r\nImplementing Roaming User Profiles\r\nSource: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN"
	],
	"report_names": [
		"jj554668(v=ws.11)?redirectedfrom=MSDN"
	],
	"threat_actors": [],
	"ts_created_at": 1775439031,
	"ts_updated_at": 1775791266,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b721c4d74bdfde98ccdd2b4afe6249aa90ce4549.pdf",
		"text": "https://archive.orkl.eu/b721c4d74bdfde98ccdd2b4afe6249aa90ce4549.txt",
		"img": "https://archive.orkl.eu/b721c4d74bdfde98ccdd2b4afe6249aa90ce4549.jpg"
	}
}