Disable WDigest: reduce plaintext credential exposure in LSASS

Starting point: the risky setting is usually legacy drift

Modern Windows versions no longer store WDigest logon material as plaintext in LSASS by default. Still, the setting shows up in real AD environments: old golden images, local registry changes, inherited GPOs, or a troubleshooting workaround for a legacy application that was never removed.

The relevant question is not whether WDigest exists. The question is whether UseLogonCredential was enabled and therefore increases the chance of plaintext passwords being present in memory. On standard workstations, that is unnecessary. On admin workstations, jump hosts, and Domain Controllers, it is a clear Tier-0 risk.

The target is not a large architecture change. It is a measurable baseline: WDigest must not re-enable plaintext credential storage. The setting should be centrally controlled, technically verified, and removed from images permanently.

Target state: WDigest off, admin paths controlled

A defensible target state looks like this:

WDigest is disabled by baseline (UseLogonCredential = 0 or not explicitly enabled).
Admin sign-ins use dedicated admin endpoints, not random clients or application servers.
Credential Guard and LSASS Protected Process (RunAsPPL) are planned and tested as separate controls where appropriate.
Exceptions have an owner, expiry date, and technical verification. A permanent WDigest exception is almost always a design issue.

WDigest off reduces plaintext credential risk, but it does not remove every credential artifact from LSASS. Kerberos tickets, NTLM material, and tokens remain separate topics. That is why WDigest belongs in a credential exposure baseline, not in an isolated one-time change.

Inventory the current state

Start by checking whether UseLogonCredential is explicitly configured:

Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' `
  -Name UseLogonCredential -ErrorAction SilentlyContinue |
  Select-Object PSComputerName, UseLogonCredential

Interpretation:

UseLogonCredential = 1: high risk; WDigest is more likely to keep plaintext credentials in the LSASS context.
UseLogonCredential = 0: desired explicit baseline.
Missing value: usually not automatically critical on modern Windows, but harder to prove than an explicit baseline value.

For a real project, a manual spot check is not enough. Use your existing management layer: Intune, ConfigMgr, GPO Preferences, EDR inventory, or a signed audit script. Separate results at least by workstations, member servers, admin systems, and Domain Controllers.

Enforce through GPO or endpoint management

For traditional AD environments, a dedicated GPO is pragmatic:

Path: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
Value: UseLogonCredential
Type: REG_DWORD
Desired value: 0

Operational approach:

Create a clearly named GPO, for example Baseline - Credential Exposure - WDigest off.
Link it separately to workstation, server, and Domain Controller OUs.
Use the same technical setting for pilot and production, but different scopes.
Remove old GPOs or local policies that could set UseLogonCredential = 1 again.

If you use endpoint management, enforce the same desired value there and decide which system is authoritative. Competing baselines are a common source of configuration drift.

Validate after rollout

After rollout, the endpoint state matters more than the GPO console:

Verify the registry value on representative systems.
Check gpresult or RSoP to confirm policy application.
Group deviations by OU, device type, and system owner.
Check new images/templates before production rollout.

For admin systems, WDigest should only be the first step. Also review Credential Guard, local logon rights, RDP access, LSASS Protected Process, and how privileged users handle browser, Office, and mail activity.

Pros

Reduces plaintext credential risk across clients, servers, and Tier-0 systems.
Easy to control centrally through GPO or endpoint management.
Straightforward to measure with registry compliance and spot checks.
Limits image drift by preventing old templates from distributing risky settings again.

Cons and limitations

No complete credential isolation: tickets, hashes, and tokens still matter.
Legacy risk: very old SSO or authentication dependencies may surface if they relied on historical WDigest behavior.
Admin tiering is still required: if Domain Admins log on to standard clients, the main problem remains.
RunAsPPL/Credential Guard are separate changes: both require compatibility testing and should not be bundled into the same rollout without planning.

Common pitfalls

Misreading a missing value: missing does not automatically mean enabled, but it is harder to audit than an explicit baseline.
Old GPO wins later: a clean rollout fails if an older policy overwrites the value again.
Only checking Domain Controllers: workstations and jump hosts are often just as important for credential exposure.
Exceptions without expiry: WDigest exceptions should be temporary and force a technical alternative.
No image control: without template checks, the deviation returns with the next server or client rollout.

Project checklist

[ ] Inventory split by clients, servers, admin systems, and DCs.
[ ] Every UseLogonCredential = 1 finding identified and assessed.
[ ] Baseline enforced as REG_DWORD 0 through GPO or endpoint management.
[ ] Old GPOs, local policies, and images checked for conflicting settings.
[ ] Pilot validated in limited scope, then rolled out to production.
[ ] Compliance check established for ongoing monitoring.
[ ] Admin endpoints separately assessed for Credential Guard, RunAsPPL, and logon controls.