Share via

Credential manager issues (0x80090345) After Windows updates 24H2. Hybrid device environment.

Jamy Hollaar 20 Reputation points
2025-08-07T11:27:39.7466667+00:00

Hey Guys,

Environment:

Domain controller in combination with Hybrid joined devices.

Domain joined / Intune managed.

Windows Hello in use.

Problem:

Issues with login in to software for remote workers (Outlook, Essentials app, Adobe ect.)

Issues with opening Credential manager (error: 0x80090345)

Cause:

Problems started after 24H2 update.

Troubleshooting taken:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb Value: ProtectionPolicy Value Type: DWORD Value Data: 1Regkey has been set, this solves the problem but can introduce other problems down the line.

When the user logs in with domain credentials (not line of sight with DC) it works. With Windows Hello it doesn't work. Windows Hello is already working for years and does still work at the office (line of sight with DC.)

Seems to be something related to the DPAPI Masterkey, wich should make a local backup on the machine when first logon in the DC network. But when users are at home it works for a moment and then get the same issue.

Any of you that have similar issues or have something i can look in to?

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
0 comments
Answer accepted by question author
  1. Harry Phan 8,495 Reputation points Independent Advisor
    2025-10-11T02:01:59.7933333+00:00

    The problem you're describing is a known issue that can occur after the 24H2 update, which introduced changes to the security stack. Windows Hello for Business (WHfB) relies on a primary refresh token (PRT), but certain legacy applications and Credential Manager still have a dependency on the DPAPI key that is traditionally seeded during an initial, line-of-sight domain logon. When this key is corrupted or missing, you see the exact errors you've listed.

    While the ProtectionPolicy registry fix acts as a workaround by forcing a local-only protection mode, you're right to be cautious, as it can break other functionalities that rely on proper key roaming. A more sustainable solution is to proactively repair or re-seed the DPAPI master key for affected users.

    Here is the recommended procedure to resolve this without the registry hack:

    The user must be connected to the corporate network directly (via VPN or in the office).

    The user should sign out and then log back in using their password (not Windows Hello). This step is crucial as it re-establishes the line-of-sight trust with the Domain Controller.

    Once logged in with their password, they should lock and then unlock their session using Windows Hello. This action triggers the system to correctly create a new, healthy DPAPI master key backed by the domain.

    After this process, they should be able to work remotely again without issues.

    This process forces a secure renewal of the user's DPAPI key vault. For future deployments, ensuring your Intune configuration includes a policy to pre-seed DPAPI keys during device provisioning can prevent this.

    I hope this targeted solution restores stability for your remote users. You've done excellent work diagnosing this complex issue. If this guidance successfully resolves the problem, please feel free to mark this answer as "Accepted" – it's always rewarding to collaborate on such a technically deep challenge 😊.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.