Share via

How to remove

Cameron Edwards 0 Reputation points
2025-10-27T16:55:30.5066667+00:00

Good Afternoon,

Working on a solution for offboarded user devices that may check back into Intune. We'd like to prevent users once offboarded from logging back into their user profiles. Once users are disabled with cached credentials they can still log back into their local account via there old password.

Domain cached credentials are stored in HKLM\Security\Cache as NL$# (Typically 1-10). I'm looking for a way to zero out these cached credentials to remove their ability to log back into a device. I''ve attempted one other solution mentioned below

I've attempted a solution by modifying CachedLogonsCount to 0 at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
restarting the device, running gpupdate /froce, etc, then updating the users password, but am still able to logon with the old cached credential until it is update by logging in with the newly set PW.

Any guidance would be appreciated, we'd like to fully lockout any offboarded users ASAP upon removal from the company.

Windows for business | Windows Client for IT Pros | Directory services | User logon and profiles
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. HLBui 2,590 Reputation points Independent Advisor
    2025-10-27T17:30:00.7333333+00:00

    .

    i think you’re correct that domain cached credentials are stored under HKLM\Security\Cache, and setting CachedLogonsCount to 0 only prevents new cached credentials from being stored—it doesn’t remove any existing ones. To fully clear the cached credentials, you can use a startup script or Intune remediation script to delete the NL$# entries directly, or use nltest /SC_REMOVE:<domain> followed by a reboot to break the domain trust and flush cached credentials.

    Additionally, ensuring that the user’s account is disabled in Active Directory and that the device performs a successful sync with Intune/Entra ID will help enforce sign-in restrictions once the cached data is cleared. For high-security scenarios, you can also consider leveraging Autopilot Reset or Fresh Start to reprovision the device cleanly.

  2. HLBui 2,590 Reputation points Independent Advisor
    2025-10-27T17:48:01.2233333+00:00

    ou can use a PowerShell remediation script deployed through Intune that runs as SYSTEM. Within the script, you’d first take ownership and adjust permissions on the Security hive (temporarily), then use reg.exe or PowerShell’s Remove-ItemProperty to clear the NL$# entries. Another practical approach is to call nltest /SC_REMOVE:<domain> or trigger a local security authority (LSA) cache reset through secedit /refreshpolicy machine_policy /enforce

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.