Beginning with Windows 8, Microsoft began distributing the providers that enable you to securely share encrypted secrets and messages across computers. There are currently two key protection providers. The Microsoft Key Protection provider allows you to protect content to a group in an Active Directory forest. The Microsoft Client Key Protection provider allows you to protect content to a set of web credentials.
The correct protector to use is automatically chosen for you when the NCryptCreateProtectionDescriptor function parses the protection descriptor rule string your provide as input. The Microsoft Key Protection provider is chosen for rule strings that begin with SID, SDDL, and LOCAL. The Microsoft Client Key Protection provider parses rule strings that begin with WEBCREDENTIALS. For more information about rule strings, see Protection Descriptors.