1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'


This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password.

Note: All recommendations in Section 1.1 (Password Policy) are only applied to Local and Microsoft accounts and not Domain accounts. For more information, please see the references section below.

The recommended state for this setting is: 24 or more passwords.


The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced.

If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password.


The major impact of this configuration is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization but make them easier to guess. Also, an excessively low value for the Minimum password age setting will likely increase administrative overhead, because users who forget their passwords might ask the help desk to reset them frequently.


To establish the recommended configuration, set the following Device Configuration Policy to Required and 24 or more passwords:

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Device restrictions)

Click Create

Enter a Name

Click Next

Configure the following Setting

Path: Device restrictions/Password
Setting Name: Password
Configuration: Required


Path: Device restrictions/Password
Setting Name: Prevent reuse of previous passwords
Configuration: 24

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Note #2: This setting can also be created via a Custom Configuration Profile using the following OMA-URI:


Note #3: This setting can also be created via the Settings Catalog via the following path:

Device Lock\Device Password Enabled\Min Device Password Length

Default Value:

24 passwords remembered on domain members. 0 passwords remembered on stand-alone workstations.

See Also