Discover more about Enforcing Password History Policy Utilizing Intune.
This article discusses the method of implementing a password history policy through Intune. By utilizing the Configuration Profile feature in Intune, Windows users can enforce device password history to prevent the recycling of passwords. The Intune Settings catalog allows you to set the device password history and determine the number of passwords that cannot be reused. The initial value is '0' and you can set it up to a maximum of 50.
What is the Definition of Enforcing Password History?
Put simply, the enforce password history policy setting dictates how many different new passwords are required for a user before they can reuse an old password. This configuration will help decrease vulnerabilities caused by reusing passwords. Furthermore, Microsoft suggests utilizing the Minimum password age setting to ensure the policy's effectiveness by discouraging frequent password changes from users.
The Danger Linked To The Past Passwords Of A Device
If users set a low number for the Enforce password history service, they are able to use a small number of passwords repeatedly. If a minimum age requirement is not set for password changes, users are able to update their password multiple times in order to go back to their original password.
Policy CSP for DevicePasswordHistory in Intune
The DeviceLock Policy CSP introduces a fresh option, named DevicePasswordHistory, which determines the number of passwords permitted in the history and cannot be used. It is crucial to mention that the specified value includes the user's current password. If you are unsure, let’s clarify the concept of device password history with an example. When DevicePasswordHistory is set to 1, users are unable to use their current password again when selecting a new one.
Setting the DevicePasswordHistory value to 8 prohibits users from choosing their current password or any of the last seven passwords when setting a new one. If you intend to enforce password history using the DevicePasswordHistory Policy CSP in Intune, utilize the following CSP URI. ./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordHistory
Implement a Password History Policy with Intune
Follow the steps provided below to establish a policy for enforcing password history using Intune for Windows users.
Log in to the Microsoft Intune administrative portal.
Choose Devices > Windows > Configuration Profiles.
Select Create > New Policy to establish a fresh policy.
Choose the options listed on the Create a Profile panel.
Operating system: Windows 10 and subsequent versions
Type of Profile: Settings Collection
On the Basics tab, indicate the name of the policy and provide a short description of it. This will simplify the process for other Intune admins to locate this profile.
Please proceed by clicking on the Next button.
Click on Add Settings in the Settings Catalog section within the Configuration Settings. In the Settings picker window, enter "device password history" in the search box and then click on Search. Choose the Device Lock category from the search results.
Choose the "Device Password History" option in the lower panel to set up the password history. Shut down the Settings Picker window.
Set up the following options within the Device Lock section.
Device Password Disabled: By default, this option is turned off. Activate it by sliding the bar to the right.
Password History for Device: In the example below, a value of 8 has been specified. This indicates that the user is not allowed to choose their current password or any of the last seven passwords as their new password.
Press Next to proceed.
You can define scope tags on the scope tags tab. You are not required to specify scope tags, so feel free to skip this step if you choose. Select the Next option.
Specify the Entra ID groups in the Assignments tab to assign the policy. It is advisable to initially roll out the profile to a small number of test groups before expanding it to additional groups provided the testing yields positive results. Choose the following option.
Lastly, review all the settings you have set up for enforcing the password history policy with Intune on the Review+Create tab. Press the Create button.
Once you have set up the configuration policy in Intune, you will see a notification stating: "Policy successfully created." This validates that the policy is established and currently being implemented in the selected groups. The recently generated setup profile is visible in Intune's lineup of configuration profiles.
Initiate a Synchronization Process For Intune On Windows Devices
In order to get the policy settings mentioned above from Intune, the Windows devices need to be registered with Microsoft Intune and, importantly, they need to have an internet connection. The devices will sync with Intune regularly to receive the latest policies. In order to expedite the process of policy assignments, you have the option to synchronize Intune policies on your Windows computers through various methods to ensure that you have the most up-to-date policies from Microsoft Intune.
Supervise the Enforcement of Password History Policy Assignment
During the application of policy settings to Windows devices, you can track which devices and users have effectively received the enforcement of password history policy settings in Intune. Choose the policy in the Intune admin center and examine the status of the device and user check-ins. In the section titled "Device and user check-in status," you can view the combined count of devices and users that have effectively accepted the policy settings.
Click on View Report to see the device names that have successfully received the policy settings. Sometimes, the Intune policy might not be successfully applied to specific users or devices. To address the problems, we suggest examining Intune logs on Windows PCs.
Check the DevicePasswordHistory Policy on Windows Devices
In this part, we will show different ways to check if the Intune device password history policy has been properly implemented on our devices. There are two methods you can use to verify if Intune has applied the device password history settings on your Windows devices.
Event Viewer for Windows
Registry of Windows operating system
Event Viewer for Windows
Open the event viewer on the Windows device by executing the shortcut command eventvwr. Afterward, navigate to the specified location in the event viewer to check out the Intune MDM event logs. Logs and services provided by Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin. After reaching the specified location in Event Viewer, you can narrow down the current log by filtering with ‘Event ID 813.’ This will provide you with immediate access to the event logs you seek.
Registry of Windows
Open the registry editor on the Windows device and go to the specified path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\1F8A61D5-C483-45C6-A23B-5EC8C599E5F0\default\Device\DeviceLock - The specified registry key. To the right, there are numerous registry entries related to the device lock policy.
Search for the registry entry called "DevicePasswordHistory" within them. The DevicePasswordHistory registry entry has a value of 8, as specified in the device lock policy settings in Intune. This shows that the Windows registry can be utilized to verify if the device's password history settings are being enforced through Intune.