1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' - 60 or fewer days, but not 0

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting defines how long a user can use their password before it expires.

Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire.

Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current.

Note: All recommendations in Section 1.1 (Password Policy) are only applied to Local and Microsoft accounts and not Domain accounts. For more information, please see the references section below.

The recommended state for this setting is 365 or fewer days, but not 0.

Rationale:

The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user has authorized access.

Impact:

If the Maximum password age setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization, because users might write their passwords in an insecure location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to Required and 365 or fewer days, but not 0:
To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Device restrictions)

Click Create

Enter a Name

Click Next

Configure the following Setting

Path: Device restrictions/Password
Setting Name: Password
Configuration: Required

AND

Path: Device restrictions/Password
Setting Name: Password expiration (days)
Configuration: 365

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Note #2: This setting can also be created via a Custom Configuration Profile using the following OMA-URI:

./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordExpiration

Note #3: This setting can also be created via the Settings Catalog via the following path:

Device Lock\Device Password Enabled\Device Password Expiration

Default Value:

42 days.

See Also

https://workbench.cisecurity.org/files/4161