I was onboarding a new Surface for a VIP and to get it on the intranet to join it to the domain I entered my own RADIUS credentials at the Windows 10 logon screen. Got the device prepped and onboarded and now I've discovered that Windows remembers these credentials even if I delete the WiFi profile.
Things I have tried
- Delete stored WiFi profile using the Win10 Settings UI when signed in as myself
- Delete stored WiFi profile using a CMD window running as SYSTEM (using psexec)
- Check stored credentials using
rundll32 keymgr.dll,KRShowKeyMgrfrom a SYSTEM CMD prompt - Delete stored WiFI profile & check stored credentils using
rundll32 keymgr.dll,KRShowKeyMgrfrom a CMD prompt running as PUBLIC (psexec -> SYSTEM cmd prompt,runas /user:Public)
Every one of these steps along the way, I log out and try reconnecting to RADIUS and it just connects without prompting me for credentials, which means it has stored my user credentials somewhere. This also means that when I deliver the laptop to the end user, he won't be able to enter his credentials to connect to RADIUS WiFi from the logon screen until I change my AD password. I cannot "Forget" a WiFi network from the logon screen.
This is in a production AD domain environment. We don't push out RADIUS via GPO, but if that's a solution we can set it up easily enough.
