Windows 10 forgets passwords in Outlook, Edge, Chrome, etc

After installing the Windows 10 feature update v2004, your computer may fail to remember the stored passwords in Outlook, Edge, Chrome browser, and various other programs. This is a system-wide issue rather than an application-specific problem. Here are some of the symptoms you may experience in Windows 10 v2004:

  • Windows 10 prompts for your Microsoft account password every now and then.
  • Accessing a network resource or NAS drive causes the password prompt to appear every time even though the credentials were saved earlier.
  • Microsoft Edge, Firefox, and Chrome browsers keep asking to enter the password to access a resource for which you’ve previously saved the password.
  • Forms and password autocomplete don’t work in Google Chrome and other apps.
  • Passwords stored by your web browser (e.g. Chrome) on the local computer are wiped off.
  • The synchronization is paused in the Chrome web browser.
  • Chrome web browser’s chrome://signin-internals/ page denotes the error “Load credentials failed with decrypt errors”.
  • You’re forced to sign to OneDrive every time you log in.
  • Outlook keeps asking you to log into Office 365 every few hours.
  • Passwords for email accounts in your mail client are not saved, and you need to type them every time.
  • Adobe Acrobat keeps asking for your Adobe credentials whenever you open a PDF file.
  • The Windows 10 Settings periodically wants to fix your account configuration by re-authenticating with Windows Hello.
  • Mapped Network Drives not working in Windows 10 v2004.
  • Windows Credentials (in Credentials Manager) are wiped out at every restart.
    v2004 credentials bug - scheduler with s4u task - wiped out credentials
  • In the Event Viewer, these two errors are recorded in the Applications and Services LogsMicrosoftWindowsCrypto-DPAPIOperational log.
    Log Name: Microsoft-Windows-Crypto-DPAPI/Operational
    Source: Microsoft-Windows-Crypto-DPAPI
    Date: 
    Event ID: 8196
    Task Category: Master Key Operation
    Level: Error
    Keywords: Master Key Operation
    User: SYSTEM
    Computer: Vostro-3470
    Description:
    Master key decryption in memory failed
    
    
    Log Name: Microsoft-Windows-Crypto-DPAPI/Operational
    Source: Microsoft-Windows-Crypto-DPAPI
    Date: 
    Event ID: 8198
    Task Category: Data Protection Operation
    Level: Error
    Keywords: Data Protection Operation
    User: SYSTEM
    Computer: Vostro-3470
    Description:
    DPAPI Unprotect failed .
    
    Status: 0x8009000B
    ReasonForFailure: Could not get the master key

The above symptoms denote that this is a system-wide bug in Windows 10 version 2004 that prevents the stored credentials from loading correctly.

Resolution

To fix the credentials/password amnesia in Windows 10 2004, here are some workarounds or fixes:

Solution 1: Switch to a Microsoft account

Many users have denoted that switching to Microsoft account fixes the issue. If you’re using a local account, you can switch to a Microsoft account by clicking on Start → Settings → click Accounts → click Sign in with a Microsoft account instead.

  • In case you’re using a Microsoft account already, switch to a local account, restart Windows, and revert to Microsoft account.
    switch to local or microsoft account

(Note that switching to a Microsoft account also prevents the problem where you’re unable to set your default apps and custom file associations in Windows 10. See the article Cannot Change Default Apps or Programs in Windows 10 for more information.)

Reference:

Systemwide password amnesia (v2004 build 19041.173) - Microsoft Community:
https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/systemwide-password-amnesia-v2004-build-19041173/232381f8-e2c6-4e8a-b01c-712fceb0e39e

Solution 2: Disable Scheduled Tasks that use S4U login type

Tavis Ormandy, a vulnerability researcher at Google, has found something very interesting. He has identified that the Windows 10 v2004 credentials bug can be triggered by one or more scheduled tasks that use the S4U login type.

This bug is what’s causing the error “Load credentials failed with decrypt errors”, as seen from the Chrome browser’s chrome://signin-internals/ page.

v2004 credentials bug - chrome tokenservice credentials load error
“TokenService Load Status” shows “Load credentials failed with decrypt errors.”

The Windows Task Scheduler can create tasks that run under the account of a particular user, without storing the user password. This is known as “S4U” (Service-for-user) logon type.

TASK_LOGON_S4U takes advantage of a service for user (S4U) logon to run the task on behalf of the specified user, but without having to store the password. Since the Task Scheduler runs within the local system account, it can create a S4U logon session and receive a token that can not only be used for identification, but also for impersonation on the local computer.

Quote:

I have some news, I think I’ve found the cause and it’s definitely a Windows bug.

TL;DR: I think if you’re experiencing this bug, then I think you have a scheduled task using “S4U”.

Here is how to check, open a PowerShell console as Administrator and paste this:

Get-ScheduledTask | foreach { If (([xml](Export-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath)).GetElementsByTagName("LogonType").'#text' -eq "S4U") { $_.TaskName } }

If you open the task scheduler and disable all the tasks it lists, I think this bug will go away.

(If you really need those tasks, make them non-S4U, i.e. the “Do not store password” checkbox)

This is because the RPC that UBPM uses to create the S4U token can sometimes delete your saved credentials in lsass. Amongst other things, your saved credentials (or rather, the hash of them) are used to generate your DPAPI user encryption key, and when they’re deleted lsass just uses the hash of the empty string (!!).

If you want to read about S4U, there’s a short snippet here.

(Credits to the Microsoft forum users “iFiredog” and “Sumit Dhiman” who were the first ones who found the above post.)



Reference:

1069383 - TokenService fails to load after CryptUnprotectData failure, causing cookies and sync to reset - chromium:
https://bugs.chromium.org/p/chromium/issues/detail?id=1069383#c90

Identify and then disable “S4U” tasks

Run one of the above PowerShell commands (as administrator) to find the list of scheduled tasks that use the S4U login type. You may see a list of tasks — mostly HP apps such as HP Customer participation (HPCustParticipation), HP Customer Satisfaction task, Carbonite upgrade task, etc. on the list.

There you can see two tasks that are using the “S4U” type in the current computer.

v2004 credentials bug - scheduler with s4u task

If you’ve installed Carbonite backup software, you’ll find a task named {5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} in the Task Scheduler Library.

v2004 credentials bug - scheduler with s4u task carbonite

The Carbonite update task {5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} runs CarboniteUpgrade.exe every hour on a daily basis. So, every time the S4U-based task runs, it erases the Windows credentials on the computer.

The other task in the list is the “Turn off Monitor” custom task that uses S4U.

  • Open Task Scheduler, locate each task listed above, and then disable it. Or change the task login to non-S4U type — i.e. uncheck the Do not store password option, or use the Run only when user is logged on option if possible.
    v2004 credentials bug - scheduler with s4u task

This fixes the system-wide credentials problem irrespective of the program.

Additional note: This issue (of Windows Credentials getting erased) seems to have been reported in the year 2016 itself. Check out the following thread:

Windows Credential Manager not retaining generic credentials - Windows Server:
https://www.bleepingcomputer.com/forums/t/593411/windows-credential-manager-not-retaining-generic-credentials/

Solution 3: Revert to the previous build

Windows 10 v1903 or v1909 didn’t have the credentials bug. If you’ve recently installed the v2004 feature update, you can roll back to the previous version. You can do so via Settings → Update & Security → Go back to the previous version of Windows 10.

However, note that you only have a 10-day window before which you need to roll back.

go back to previous build - 10 days time

Once Microsoft issues a fix for the v2004 credentials bug (expecting somewhere in November, though Microsoft said “no ETA”), you may then upgrade to the latest build of v2004.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

1 thought on “Windows 10 forgets passwords in Outlook, Edge, Chrome, etc”

  1. Appreciate your post, and assume Microsoft will eventually fix password save problem.

    Am curious if you know a method to log in with Microsoft account when all user data is accessed via mapped network drives under administration of groups/user in File Server?

    I have 107 active tasks….seems like a lot of work to edit each one looking that use save password field

    Reply

Leave a Comment