What is the security boundary of Windows Hello KeyCredentialManager credentials for desktop apps?

Question

What is the security boundary of Windows Hello KeyCredentialManager credentials for desktop apps?

Roman Prudchenko 0

I am evaluating Windows Hello / KeyCredentialManager for a desktop application that protects high-value local secrets encrypted at rest. The application creates a local master key and stores it encrypted. One unlock path is password-based. Another unlock path uses Windows Hello through KeyCredentialManager and related WinRT APIs.

Common scenario:

The application creates a KeyCredential with a credential name.
Another process running under the same Windows user account attempts to open the same credential name.
Windows shows a Windows Hello user verification prompt.
If the user approves the prompt, the second process can perform cryptographic operations with that credential.

I am trying to understand whether this is expected behavior and what the intended security boundary is.

Questions:

Is KeyCredentialManager scoped to the Windows user account or current application, that requests access to credentials?
Is it expected that another process under the same user account can open the same KeyCredential if the credential name is known?
Does KeyCredentialManager provide any app-level isolation for classic desktop applications? And how to implement such approach if yes?
Does AppContainer or Win32 App Isolation change behavior from Q3?
Is there a supported way to bind a KeyCredential to a specific executable, publisher or package identity?
Is the credential name supposed to be treated as a secret?
Does TPM backing or key attestation change the local same-user threat model?
For applications protecting password-vault local secrets, does Microsoft recommend using Windows Hello as the only unlock mechanism, or only as one factor in a broader design?

Expected outcome: I am looking for an explanation of the intended security boundary of KeyCredentialManager and the recommended architecture for protecting high-value local secrets.

Relevant APIs:
KeyCredentialManager.RequestCreateAsync
KeyCredentialManager.OpenAsync
KeyCredential.RequestSignAsync
Windows.Security.Credentials
Windows.Security.Cryptography

0 comments

2 answers

Your answer

Answer 1

Taki Ly (WICLOUD CORPORATION) 2,225 Microsoft External Staff Moderator

Hello @Roman Prudchenko ,

I have carefully reviewed the scenario you described, and I would like to share some perspectives and relevant documentation to help us analyze this issue together. Based on the current Windows system architecture, I would like to offer some suggestions and observations regarding your questions:

1 & 2. Scope of KeyCredentialManager and Cross-process behavior

According to the architectural documentation for the pure (unpackaged) Win32 environment, it appears that the security boundary is generally established at the User Account level rather than the application level. In this traditional environment, processes running under the same user typically share a common privilege space. Therefore, the fact that another process can request to open a KeyCredential if it knows the credential name is likely an anticipated behavior, as the operating system might not differentiate between two Win32 processes belonging to the same user.

Reference: Windows Access Control Model

3 & 4. App Isolation, AppContainer, and MSIX

To establish isolation at the application level, Microsoft often suggests granting the application an App Identity. If your application is not running within an AppContainer, it may struggle to protect itself from other same-user processes. If you utilize packaging such as MSIX or adopt the new Win32 App Isolation mechanisms, I believe this behavior might change. In those cases, the system seems to evaluate access rights based on the Package Family Name (PFN), which helps keep credentials isolated per application rather than shared entirely at the user level.

References: AppContainer Isolation and MSIX App Identity

5. Binding to an executable or package identity

In case you want to "bind" the credential to a specific application, identifying it via package identity (e.g., through MSIX) seems to be the most frequently mentioned solution in the documentation. For standalone, unpackaged .exe files, there is probably no standard mechanism supported by the OS to tightly bind this API solely to that specific executable.

6. Secrecy of the Credential Name

Microsoft's documentation might not explicitly state that the credential name must be an absolute secret. Even though malware could potentially discover it, relying on hiding this name (security through obscurity) perhaps shouldn't be your core defense layer. Nevertheless, generating a random name could be considered a mitigating measure to reduce the attack surface.

7. TPM and Key Attestation

The presence of a TPM chip and key attestation is typically intended to ensure that the key material cannot be extracted or exported off the physical device. However, it might not resolve the "Confused Deputy" problem at the software level. This means that if a valid cryptographic request is sent by malicious code running under the same user privileges, the TPM would likely still process the operation because it cannot distinguish process boundaries in an environment without an AppContainer.

Reference: TPM Fundamentals

8. Advice on Defense-in-depth architecture

For applications protecting high-value local secrets (like a password vault), I think relying solely on a single layer of protection (Windows Hello in an unpackaged Win32 environment) could carry potential risks if the device is compromised by same-user malware. A safer approach would perhaps be adopting a "Defense in depth" model. You might consider using Windows Hello as a convenient unlock method while combining it with boundaries like MSIX packaging, or requiring a master password periodically to mitigate risks.

Reference: KeyCredentialManager Class

I hope the information and documents above can provide additional perspectives for your architectural evaluation. If you found my response helpful or informative, I would greatly appreciate it if you could follow this guide for your confirmation.

Thank you.

Roman Prudchenko 0 Reputation points

2026-06-05T10:47:05.47+00:00
Thank you for your answer! Can you please provide a definitive answer to the following scenario?

Scenario:

Application A is packaged as MSIX and runs inside an AppContainer.

Application A creates a Windows Hello credential using KeyCredentialManager.RequestCreateAsync().

Application B is a different process running under the same Windows user account.

Application B knows the credential name created by Application A.

Application B calls KeyCredentialManager.OpenAsync() with the same credential name.

Question:

In this scenario, should Application B be able to successfully open and use the same KeyCredential created by Application A? If the answer depends on additional conditions, please specify exactly which conditions affect the result (for example: MSIX packaging, AppContainer isolation, Package Family Name, publisher identity etc.).
Additionally, if Application B can successfully open the credential, does that mean KeyCredentialManager credentials are scoped primarily to the Windows user account rather than to the application/package identity? If Application B cannot open the credential, please point to the specific Windows security boundary or documentation that enforces this isolation
Roman Prudchenko 0 Reputation points

2026-06-05T10:47:31.6633333+00:00

Does MSIX packaging and AppContainer isolation create an application-level security boundary for KeyCredentialManager credentials, or are KeyCredentialManager credentials always scoped at the Windows user level regardless of packaging?
Taki Ly (WICLOUD CORPORATION) 2,225 Reputation points Microsoft External Staff Moderator

2026-06-08T06:31:34.4766667+00:00

Hello @Roman Prudchenko ,

Thank you for the follow-up and for outlining this specific MSIX/AppContainer scenario.

I am currently setting up a lab environment to run some tests on this exact setup. I want to observe the cross-process behavior closely to give you a more accurate and detailed picture of how the security boundaries and conditions apply in this case.

I will be looking into this and will get back to you as soon as I have more information and insights to share.

Thank you very much for your patience!
Taki Ly (WICLOUD CORPORATION) 2,225 Reputation points Microsoft External Staff Moderator

2026-06-09T06:59:13.43+00:00
Hi @Roman Prudchenko ,

Thank you for your patience while I researched this scenario.

Regarding your specific scenario (Application A packaged as MSIX running inside an AppContainer vs. Application B running under the same user), please find the architectural answers based on the Windows Next Generation Credentials (NGC) system below:

1. Scenario Outcome: Should Application B be able to successfully open and use the same KeyCredential created by Application A? No. According to the documented behavior of NGC, Application B will NOT be able to open it.

When an application has a Package Identity (such as MSIX) and runs inside an AppContainer, the KeyCredential is cryptographically siloed. If a different process attempts to call KeyCredentialManager.OpenAsync() with the same credential name, the system will prevent access.

The primary condition enforcing this isolation is the Package Family Name (PFN). Access to the specific credential requires executing from within the exact same MSIX package. You can reference how the OS enforces isolation boundaries based on package identity in the Intro to secure Windows app development documentation.

2. Are KeyCredentialManager credentials scoped primarily to the Windows user account rather than to the application/package identity? The boundary dynamically shifts based on the application format:

For Packaged Apps (MSIX/AppContainer): Credentials are mathematically scoped to the tuple of [User SID] + [App PFN], creating a strict application-level boundary. The underlying principles, including how the identifier uses combined identities so the application cannot impersonate the user, are described in the AppContainer Isolation documentation.

For Unpackaged Apps (Classic Win32 Desktop): Credentials are scoped only to the Windows User Account.

(Please note: While I intended to fully simulate the isolated MSIX AppContainer environment, it requires a complex setup involving trusted identity certificates. Therefore, I was unable to test this specific packaged behavior in my environment).

3. Does MSIX packaging and AppContainer isolation create an application-level security boundary for KeyCredentialManager? Yes. The app-level isolation boundary for packaged apps is strictly managed by the Local Security Authority (LSA) and the Next Generation Cryptography (NGC) software provider. The AppID (derived directly from the package identity/PFN) binds to the key material deep within the cryptography provider.

For an application handling high-value local secrets, deploying as an unpackaged Win32 executable introduces a critical cross-process vulnerability. Packaging the application using MSIX is essentially required to cryptographically bind the KeyCredentialManager artifacts to the application's unique identity.

I hope this information assists you in finalizing your architecture. Please let me know if you need any further assistance.

Thank you.
Taki Ly (WICLOUD CORPORATION) 2,225 Reputation points Microsoft External Staff Moderator

2026-06-10T09:24:14.0066667+00:00

Hi @Roman Prudchenko ,

Have you seen my follow-up in this post? If you have any question, feel free to reach out. I'm happy to support you.
Taki Ly (WICLOUD CORPORATION) 2,225 Reputation points Microsoft External Staff Moderator

2026-06-12T06:22:57.12+00:00

Hi @Roman Prudchenko ,

As we haven’t heard back from you for a while, we’ll go ahead and close this thread for now. If you still need assistance later, feel free to reach out.

Thank you for your understanding.
Roman Prudchenko 0 Reputation points

2026-06-17T07:43:08.8133333+00:00
Hi @Taki Ly (WICLOUD CORPORATION)

Thank you again for the detailed follow-up!

I ran a practical test on my machine for the exact MSIX vs unpackaged scenario we discussed, and the result appears to contradict the documented outcome where Application B should not be able to open the KeyCredential created by packaged Application A.

Setup

Application A

Application A is installed as an MSIX package from the Start Menu.

Package Family Name: ExampleCompany.ExampleApp

Identity: ExampleCompany.ExampleApp

The application creates an encrypted local data file.

The application creates a Windows Hello credential via KeyCredentialManager.

The application uses a credential tag.

The application uses RequestSignAsync over a fixed UTF-16LE challenge string.

Windows Hello was configured.

Biometric authentication was enabled.

Windows Hello verification had been completed at least once.

Application B

Application B is a standalone unpackaged Win32 probe executable built locally.

Application B uses the same credential tag.

Application B uses the same challenge string.

Application B uses the same cryptographic flow as Application A.

File Location Verification

Before running the probe, I confirmed that the encrypted data file exists.

The expected path under %AppData% did not contain the file.

For the MSIX installation, the file was located under:

%LOCALAPPDATA%\Packages<PackageFamilyName>\LocalCache\Roaming<ApplicationDataPath>

I then closed Application A completely.

I ran Application B with a command-line argument pointing directly to the MSIX-redirected file location.

Observed Output

[1/5] encrypted key wrapper found

[2/5] KeyCredentialManager.OpenAsync returned Success (0)

[3/5] RequestSignAsync returned Success (0) after Windows Hello user verification

[4/5] master key successfully decrypted

[5/5] protected application data successfully decrypted

Final result: I got encrypted data.

Environment

Windows 10/11 x64

Windows Hello configured

Visual Studio 2026 toolchain was used only to build the probe and is not relevant to runtime isolation

Interpretation

Based on this experiment, it appears that an unpackaged same-user process that knows the credential name can open and use the KeyCredential created by the MSIX application.

The same process can also read the MSIX-redirected encrypted data file directly from disk using its absolute path.

This suggests that the effective security boundary in this scenario may be closer to user account scope combined with user verification rather than strict PFN-based isolation, at least on this Windows build and configuration.

Could you please help reconcile this result with your earlier statement that Application B will NOT be able to open the credential when Application A is MSIX/AppContainer?

Specifically:

Are there additional requirements for the [User SID] + [App PFN] binding you described to actually deny OpenAsync access to unpackaged callers, such as publisher identity/enterprise signing or particular Windows builds?

If this behavior is not expected, should it be treated as a platform bug or regression worth escalating?

I can provide the exact probe source code, command line, and complete console output if that would help investigate further.

Thank you!
Taki Ly (WICLOUD CORPORATION) 2,225 Reputation points Microsoft External Staff Moderator

2026-06-17T08:38:43.5133333+00:00

Hi @Roman Prudchenko ,

Thank you for running the test and providing the exact file paths. The detailed logs clarify why Application B succeeded, and confirm the platform is behaving by design.

In the logs, Application A's encrypted file generated at:

%LOCALAPPDATA%\Packages\<PackageFamilyName>\LocalCache\Roaming\<ApplicationDataPath>

The presence of the LocalCache directory confirms Application A is packaged as a Win32 Desktop Bridge application running as Full Trust (uap10:TrustLevel="mediumIL"), relying on file virtualization. Packaging an app as MSIX assigns it a Package Family Name (PFN) identity, but it does NOT inherently place the app inside an isolated AppContainer.

When a Full Trust process calls KeyCredentialManager.RequestCreateAsync(), the Next Generation Credentials (NGC) service detects the absence of the AppContainer boundary. Therefore, it falls back to scoping the credential purely at the Windows User Account level.

Because Application B runs as an unpackaged Win32 process under the same user, it successfully loads the credential.

Regarding your question: Are there additional requirements for the [User SID] + [App PFN] binding to deny OpenAsync access to unpackaged callers?**

Yes. To enforce strict PFN-based isolation, Application A must execute within an actual AppContainer (uap10:TrustLevel="appContainer"). If the app runs as Full Trust, cryptographic boundaries degrade to the user level. Factors like publisher identity do not alter this.

Additionally, this is completely by design. Full Trust intentionally bypasses the sandbox to maintain compatibility with legacy Win32 operations.

To achieve cross-process credential isolation, the application must execute cryptographic operations from within a true AppContainer process, not a Full Trust token. For further details on how file virtualization differs from isolation, refer to the MSIX Behind the Scenes documentation.

Please let me know if further technical clarity is needed on implementing AppContainer boundaries.

Thank you.

Answer 2

KeyCredentialManager and Windows Hello are designed as user- and device-scoped credentials, not as per-executable secrets. The primary security boundary is the Windows user account and device, with user verification (PIN/biometric) as the second factor. App-level isolation is provided for UWP/packaged apps via the Windows Hello APIs, but classic desktop apps must treat KeyCredential as one component in a broader design.

Direct answers to the questions:

Scope of KeyCredentialManager (user vs. app) KeyCredentialManager creates a public/private key pair that is bound to the device and the user, not to a specific process. Windows Hello credentials are “based on certificate or asymmetrical key pair” and “bound to the device,” and authentication is two-factor: a key tied to the device plus PIN/biometric.

For apps, the Windows Hello layer exposes APIs such as KeyCredentialManager.RequestCreateAsync and KeyCredential.RequestSignAsync. The private key never leaves the secure store/TPM, and apps only request operations (for example, signing) via these APIs.

Other processes under same user opening the same KeyCredential The model described in the context assumes that a user’s keys are available to applications (via the Windows Hello APIs) once the user has performed the required gesture. The keys are “used to sign requests that are sent to the identity provider,” and applications “can use specific APIs to request operations that require key material for particular actions.”

The documentation explicitly notes that:

The private key is not exposed to the application.
The user gesture (PIN/biometric) is used to “release the key,” after which applications can use the key via APIs.

This aligns with the behavior where another process under the same user, knowing the credential name, can request operations with that key after Windows Hello user verification. The boundary is the user + device + gesture, not the individual process.

App-level isolation for classic desktop apps The context states that “an application can never use the keys from another application, nor can someone ever use the keys from another user,” but this is in the Windows Hello app model context (UWP/packaged apps using the Windows Hello APIs). The isolation is enforced by the Windows Hello layer and the way keys are associated with identities and apps.

For classic desktop apps, the documentation does not describe a separate, stronger per-executable isolation boundary beyond the Windows Hello API model. Instead, it emphasizes:

Keys are bound to the device and user.
Apps call APIs to request signing/decryption; the Windows Hello layer mediates access.

There is no additional, documented per-executable binding mechanism in the provided context for Win32 desktop apps using KeyCredentialManager.

Effect of AppContainer or Win32 App Isolation The context does not describe any change in KeyCredentialManager behavior specific to AppContainer or Win32 App Isolation. The described behavior and examples are for UWP/packaged apps and their backend services, where keys are per-user, per-device, and accessed via the Windows Hello APIs.
Binding a KeyCredential to a specific executable, publisher, or package identity The documentation describes binding keys to:

The device and user (Windows Hello registration), and
The app’s account model (for example, storing multiple keys per user, per device, in the backend).

It does not describe a supported mechanism to bind a KeyCredential to a specific executable, publisher, or package identity in the way code-signing or AppLocker policies do. Instead, it focuses on:

Creating keys via KeyCredentialManager.RequestCreateAsync(AccountId, ...), where AccountId is an app-level identifier.
Using those keys for challenge–response authentication to a backend.

Whether the credential name should be treated as a secret The examples treat the credential identifier (AccountId) as an account identifier (for example, email address or username) that is stored and used by the app and backend. The credential name/identifier is not described as a secret; it is part of the registration data sent to the backend and stored in a database schema that includes user ID, device ID, and public key.

Because the public key and identifiers are stored server-side and used for authentication, the credential name should be treated as an identifier, not as a secret.

TPM backing or key attestation and same-user threat model TPM and attestation address hardware trust and server-side assurance:

Windows Hello “creates a set of public/private key pairs and writes the private keys to the device’s Trusted Platform Module (TPM) chip.”
The app can obtain “optional key attestation information to acquire cryptographic proof that the key is generated on the TPM.”

This strengthens protection against key extraction and provides proof to the backend that the key is hardware-backed. However, it does not change the local same-user threat model in terms of process-level access: once the user has authenticated with Windows Hello, the Windows Hello layer can use the TPM to perform cryptographic operations on behalf of the user. TPM/attestation do not introduce a per-process boundary; they harden key storage and remote trust.

Use of Windows Hello for password-vault local secrets The documentation positions Windows Hello as a strong 2FA mechanism that replaces reusable passwords with “the combination of a specific device, and a biometric gesture or PIN.” It is conceptually similar to smart cards, using cryptographic primitives and keys in tamper-resistant hardware.

For app design:

Windows Hello is used to authenticate the user and to sign challenges for backend services.
For local secrets, the pattern is: generate a key pair via Windows Hello, store the public key and optional attestation in the backend, and use challenge–response to authenticate.

The context does not prescribe that Windows Hello must be the only unlock mechanism for local password vaults. It describes:

Using Windows Hello as the primary authentication mechanism for new systems.
For migrations, initially keeping username/password and then optionally disabling them once Windows Hello is fully adopted.

Recommended architectural pattern from the context

From the provided material, the intended security and architectural pattern is:

Device- and user-bound keys
- Each device creates a unique key pair per user and per account.
- The private key is stored in TPM or secure software storage and never exposed.
App and backend integration
- The app uses KeyCredentialManager.RequestCreateAsync(AccountId, ...) to create a key.
- The app sends the public key (and optional attestation) plus a device identifier to the backend.
- The backend stores multiple keys per user to support multiple devices.
Authentication via challenge–response
- The backend sends a challenge.
- The app calls KeyCredential.RequestSignAsync to sign the challenge.
- Windows Hello prompts for PIN/biometric and uses the TPM to sign.
- The backend verifies the signature using the stored public key.
Isolation and protection
- The Windows Hello layer mediates access to key operations and requires user gestures where appropriate.
- The app never handles private key material directly.
- For high-value secrets, combine Windows Hello-based authentication with backend policies (for example, device management, revocation, and multiple keys per user) rather than relying solely on local process isolation.

In summary, KeyCredentialManager’s primary boundary is the user + device + Windows Hello gesture, with keys protected by TPM or secure storage and accessed only via Windows Hello APIs. It is not documented as a per-executable isolation mechanism for classic desktop apps, and high-value local secrets should be protected using Windows Hello as part of a broader design that includes backend verification and careful handling of identifiers and keys.

References:

Share via

What is the security boundary of Windows Hello KeyCredentialManager credentials for desktop apps?

2 answers

Your answer