0

My company needs to activate MFA tomorrow and we need to know how to clear out all of the stored credentials in the Windows Credential Manager. The problem credential that I can't remove via Powershell is one called "SSO_POP_Device" under "Other Items".

I have a command that will remove all credentials EXCEPT the SSO_POP_Device. The code is below. I've stopped and started the CM service, which just restores what it remembered from before (still need to clear the credentials so they don't get used after MFA is active). I am aware that it can be manually removed in CM, but remember, I need a Powershell script or CMD line method of removing this for multiple users across the company. I discovered through research that this is likely tied to our Microsoft Accounts and specifically, to Office / Outlook 365.

This is the command that removes all credentials except SSO_POP_Device currently. It's pretty short.

cmdkey /list | ForEach-Object{if($_ -like "*Target:*"){cmdkey /delete:($_ -replace " ","" -replace "Target:","")}}

I would expect to be able run some Powershell or CMD line to scrub anything whatsoever from Credential Manager, regardless of where it is stored or what it's related to. Whenever I run cmdkey /list with just SSO_POP_Device remaining on the list, it returns nothing. There are no error messages except when I'm firing off random delete commands into the aether.

Poopbeard
  • 45
  • 7
  • Why do you need to remove that credential? – Bill_Stewart Aug 15 '19 at 22:22
  • Another team that's in charge of the MFA rollout tells me it needs to go, and I assume it is because any stored credentials left remaining pose a risk of fouling with the MFA once it's in place, which creates bigger headaches down the road. We're particularly weary of this one since it's *probably* everyone's email credentials, which will *probably* hit MFA. – Poopbeard Aug 16 '19 at 13:05
  • Do you have a command line that actually does work to remove that credential? – Bill_Stewart Aug 16 '19 at 13:39
  • No. That's what I'm asking for. One rogue credential. One command could save us all. The hit movie event of the Summer. Specifically, I have one command that wipes all credentials except the SSO_POP_Device one. It is probably a more application-side credential, I just don't know why if CM can see it and manage it, why I can't get cmdkey /list to show it. cmdkey /list acts like it's not in CM at all. – Poopbeard Aug 16 '19 at 20:15
  • If the `cmdkey` command doesn't even _list_ it, then I don't know of a way to automate its removal. (But I'm not a credential manager/DPAPI expert, though.) – Bill_Stewart Aug 16 '19 at 20:59

0 Answers0