Detections
Analytics
24.3 (L1) Ensure 'Device Password History' is set to '24 or more password(s)'
Information
This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. In an Intune managed environment this setting applies to local user accounts and not Entra ID accounts.The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords.
The recommended state for this setting is: 24 or more password(s)
The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced.
If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password.
Solution
To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to 24 or more password(s) :Device Lock\Device Password Enabled: Device Password History
Impact:
The major impact of this configuration is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization but make them easier to guess.
Warning: If an organization is using Windows Hello for Business the the Device Lock password settings can impact PIN polices if those policies are not first defined elsewhere. Windows will follow the Windows Hello for Business policies for PINs if this key exists: HKLM\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies Otherwise, it will follow Device Lock policies.
This benchmark recommends configuring Device Lock policies for Local User accounts and Windows Hello for Business policies for PINs.
See Also
Item Details
Audit Name: CIS Microsoft Intune for Windows 11 v3.0.1 L1
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1), CSCv7|16.2
Plugin: Windows
Control ID: cefd4c076570ff5958c9c1d144c9af827f674df58e14f7a1608392d3762a6939