Per support, the credentials are stored C:\Program Data\ScreenConnect Client (xxxxxxxxxxxxxxxx)\user.config with this, for Windows. Even as NT Service\SYSTEM, it fails to unprotect. I believe this is because ScreenConnect uses the optional argument entropy.
For those of us that use LAPS, updating the stored credential is essential. The feature should do one of the following:
- Allow ScreenConnect.ClientService.exe to be called with parameters to replace the credential.
- Use Windows Credential Manager instead of CryptProtectData.
- Explain how to use the CryptProtectData class. If entropy is used, list the value somewhere and/or allow it to be configurable.
Customer support service by UserEcho