Detections
Analytics
1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password.Note: All recommendations in Section 1.1 (Password Policy) are only applied to Local and Microsoft accounts and not Domain accounts. For more information, please see the references section below.
The recommended state for this setting is: 24 or more passwords.
Rationale:
The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced.
If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password.
Impact:
The major impact of this configuration is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization but make them easier to guess. Also, an excessively low value for the Minimum password age setting will likely increase administrative overhead, because users who forget their passwords might ask the help desk to reset them frequently.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Required and 24 or more passwords:To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Device restrictions)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Device restrictions/Password
Setting Name: Password
Configuration: Required
AND
Path: Device restrictions/Password
Setting Name: Prevent reuse of previous passwords
Configuration: 24
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Note #2: This setting can also be created via a Custom Configuration Profile using the following OMA-URI:
./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordHistory
Note #3: This setting can also be created via the Settings Catalog via the following path:
Device Lock\Device Password Enabled\Min Device Password Length
Default Value:
24 passwords remembered on domain members. 0 passwords remembered on stand-alone workstations.
See Also
Item Details
References: CSCv7|16.2
Plugin: Windows
Control ID: 485d1c73ba27add6a1d22458a97cfc141cfddc8b1ff678d994cd2d467c5d0a51