How to Enforce Password History Policy using Intune

This article explains how you can enforce password history policy using Intune. Using the Configuration Profile in Intune, you can implement device password history for Windows users to curb password reuse.


According to Microsoft, the enforce password history policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused. You can use either Microsoft Intune or GPO to enforce the password history policy for users.


Most organizations configure their password policies in a way that prevents users from reusing their old passwords. The practice of reusing passwords is a significant problem for any organization because many users want to continue using the same password for an extended period of time.


The longer a password is used for an account, the greater the likelihood that an attacker will be able to figure it out through brute-force attacks. If users are required to change their password but are allowed to continue using the same password, the effectiveness of a strong password policy is significantly diminished.


The Settings catalog in Intune lets you configure the device password history setting and specify how many passwords can be stored in the history that can’t be used. The default value is ‘0‘ and the maximum value that you set is 50.

https://angelelite.de/showthread.php?tid=3325

https://forum.bedwantsinfo.nl/thread-53566.html

https://rostovbike.ru/thread-4383.html

https://themastergames.com/mybb/thread-chapter-23-homework-solution

https://forum.goddesszex.dev/showthread.php?tid=3412

https://www.mircalemi.net/showthread.php?tid=811

What does enforcing password history mean?

In simple words, the enforce password history policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused.


Microsoft recommends setting the Enforce password history to 24. This setting will assist in reducing vulnerabilities brought on by password reuse. In addition, to maintain the effectiveness of this policy setting, Microsoft recommends using the Minimum password age setting to prevent users from repeatedly changing their password.


Risk associated with device password history

A hacker has a greater chance of figuring out the password if the user continues to use the same password for an extended period of time. It is possible for the password history feature to have a limit, beyond which you will not be able to use any password that you have previously configured.


Users can use the same small number of passwords repeatedly if they specify a low number for the Enforce password history service. Users can change their password as many times as they need to reuse their initial password if you do not also set a minimum age requirement for setting a password.


DevicePasswordHistory Policy CSP in Intune

The Policy CSP – DeviceLock offers a new setting called DevicePasswordHistory that specifies how many passwords can be stored in the history that can’t be used. It is important to note that the value that you specify includes the user’s current password.

https://shopcms.vsupport.club/topic/2890-%D0%B2%D1%8B%D0%B4%D0%B2%D0%B8%D0%B3%D0%B0%D1%8E%D1%89%D0%B8%D0%B9%D1%81%D1%8F%D0%B2%D1%8B%D0%BF%D0%B0%D0%B4%D0%B0%D1%8E%D1%89%D0%B8%D0%B9-%D0%B1%D0%BB%D0%BE%D0%BA/

https://sportsreptile.site/thread-10656.html

https://www.carpentryforums.com/showthread.php?tid=28285&pid=31438#pid31438

https://pimpforums.xyz/showthread.php?tid=2322

https://amodsus.com/threads/%D0%9A%D1%80%D0%B0%D1%81%D0%B8%D0%B2%D0%B0%D1%8F-%D0%B0%D1%80%D0%BA%D1%82%D0%B8%D0%BA%D0%B0.155/

If you are confused here, let’s understand device password history with an example.


If your DevicePasswordHistory value is set to 1, it means the user can’t reuse their current password when choosing a new password.

If your DevicePasswordHistory value is set to 8, it means that a user can’t set their new password to their current password or any of their previous seven passwords.


If you plan to use the DevicePasswordHistory Policy CSP in Intune to enforce the password history, make use of the below CSP URI.


./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordHistory


Enforce Password History Policy using Intune

Perform the below steps to create a policy to enforce the password history using Intune for Windows users:


Sign in to the Microsoft Intune admin center.

Select Devices > Windows > Configuration Profiles.

Click on Create > New Policy to set up a new policy.

Make the following selections on the Create a Profile pane:

Platform: Windows 10 and later

Profile type: Settings Catalog

https://amodsus.com/threads/gambling-essay-thesis.3690/

https://amodsus.com/threads/homework-solutio.1594/

https://diskutim.com/showthread.php?tid=10915

https://forums.cyclone-hosting.net/showthread.php?tid=643

https://www.elektrofahrrad-tests.de/forums/showthread.php?tid=51579

On the Basics tab, specify the policy name and a brief description of the policy. This will make it easier for other Intune administrators to find this profile.


Name: Enforce Password History Policy

Description: Enforce Password History Policy for Windows Users using Intune


Click Next.


In the Configuration Settings section, under Settings Catalog, click Add Settings. On the Settings picker window, type “device password history” in the search box and click Search. From the search results, select the Device Lock category.


In the bottom pane, select the option “Device Password History,” which lets you configure the password history. Close the Settings Picker window.


Under the Device Lock category, configure the following:


Device Password Enabled: By default, this setting is off. Enable it by moving the slider to the right.

Device Password History: In the below example, we have specified a value of 8. This means that a user can’t set their new password to their current password or any of their previous seven passwords.

Click on Next to continue.

https://equestrianbbs.com/thread-16389.html

https://uniforos.com/viewtopic.php?t=361966

https://uniforos.com/viewtopic.php?t=368028

https://uniforos.com/viewtopic.php?t=351463

https://uniforos.com/viewtopic.php?t=182773

On the scope tags tab, you may specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.


In the Assignments tab, specify the Entra ID groups to assign the policy. We recommend deploying the profile to a few test groups first and then expanding it to more groups if the testing is successful. Select Next.


Finally, on the Review+Create tab, take a look at all the settings you’ve configured for enforcing the password history policy with Intune. Click Create.


After you create the above configuration policy in Intune, the following notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The newly created configuration profile appears in Intune’s list of configuration profiles.


Run Intune Sync on Windows devices

To receive the above policy settings from Intune, the Windows devices must be enrolled in Microsoft Intune, and most importantly, they must be online. Regularly, the devices will synchronize with Intune to obtain the most recent policies.


To speed up the policy assignments, you can force sync Intune policies using different methods on your Windows computers to download the latest policies from Microsoft Intune.


Monitor the Enforce Password History Policy Assignment

While the policy settings are being applied to Windows devices, you can monitor the devices and users that have successfully received the enforce password history policy settings in Intune.


In the Intune admin center, select the policy and review the device and user check-in status. Under “Device and user check-in status,” you get to see the total number of devices and users who successfully received the policy settings.

http://forofjcruiser.com/viewtopic.php?f=1&t=74550

http://forofjcruiser.com/viewtopic.php?f=1&t=84543

http://forofjcruiser.com/viewtopic.php?f=1&t=28977

http://forofjcruiser.com/viewtopic.php?f=1&t=82022

https://tictactech.net/forum/showthread.php?tid=129&pid=265#pid265

To view the device names that have successfully received the policy settings, click on View Report.


In some cases, the Intune policy may fail to apply to certain users or devices. To resolve the issues, we recommend reviewing Intune logs on Windows computers.


Verify DevicePasswordHistory Policy on Windows Devices

In this section, we will demonstrate various methods for determining whether the device password history policy applied through Intune has been successfully applied to our target devices.


You can check to see if Intune has enforced the device password history settings on your Windows devices using one of two methods:


Windows Event Viewer

Windows Registry


Windows Event Viewer

The event viewer IDs 813 and 814 indicate whether Intune has successfully applied the device password history policy settings. The Intune MDM event logs can be viewed on client devices using the Event viewer.


Launch the event viewer on the Windows device by running the shortcut command eventvwr. Next, browse the following path in the event viewer to view Intune MDM event logs:


Once you have navigated to the above path in Event Viewer, you may filter the current log with ‘Event ID 813.’ This will give you quick access to the event logs that you’re looking for. In the screenshot below, the event ID 813 confirms that the Windows device has successfully received the DevicePasswordHistory policy settings from Intune.


Windows Registry

In this method, we will check the Windows Registry to confirm if the device password history policy has been applied through Intune on a Windows device. Most of the changes you make to the Windows operating system are stored in the registry. The device password history settings applied via Intune reflect in the registry, provided the device has successfully received the policy settings.


Launch the registry editor on the Windows device and navigate to the following path:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\1F8A61D5-C483-45C6-A23B-5EC8C599E5F0\default\Device\DeviceLock

On the right-hand side, you’ll find several registry entries for the device lock policy. Among them, look for the registry entry named “DevicePasswordHistory.” The value of this DevicePasswordHistory registry entry is set to 8, which matches what we specified in the device lock policy settings in Intune. This demonstrates that you can use the Windows registry to check whether the device’s password history settings are applied via Intune.

Comments

Post a Comment

Popular posts from this blog

8 Ways to Fix Windows Update Error 0x80070643

 Windows update error 0x80070643 stops you from installing the latest Windows updates. Learn why this error occurs and how can you resolve it with multiple solutions. In this post, I will show you how to fix the Windows Update error 0x80070643 that occurs when you attempt to install the latest updates on Windows 11/10 devices. The error 0x80070643 can be resolved using different methods, which will be covered in this guide. I ran across issue 0x80070643 on my Windows 11 PC when I was downloading the most recent updates. The update was stuck installing for a few minutes and finally resulted in error 0x80070643. https://stock.talktaiwan.org/index.php?topic=478832.0 https://stock.talktaiwan.org/index.php?topic=407059.0 https://stock.talktaiwan.org/index.php?topic=427920.0 http://forum.analysisclub.ru/index.php?topic=128627.0 http://forum.analysisclub.ru/index.php?topic=142620.0 http://forum.infinite-soul.org/viewtopic.php?f=64&t=9756 https://rostovbike.ru/thread-1012.html https://foru
Read more

8 Ways to Fix Windows 11 Upgrade Error 0x800F0830-0x20003

Multiple solutions to resolve 0x800F0830-0x20003 error that occurs during Windows 11 installation or upgrade in the SAFE_OS phase during INSTALL_UPDATES operation. If you are encountering the error 0x800f0830-0x20003 when upgrading to Windows 11, this tutorial covers the solutions to resolve this error. An error 0x800F0830-0x20003 prevents the upgrade process on Windows 10/11. This error occurs during the SAFE_OS phase during the INSTALL_UPDATES operation. If you don’t resolve this error, you’ll never be able to upgrade your Windows to the next version. Installing Windows 11 or upgrading it from Windows 10 is a smooth process, and you can use multiple methods to upgrade to Windows 11. However, you may encounter several errors during the upgrade, either due to hardware being incompatible, incompatible apps, or other reasons. We recommend referring to the Microsoft article on Windows 11 upgrade and installation error codes. https://forum.goddesszex.dev/showthread.php?tid=17913 https://fo
Read more

Enable/Disable End Task in Taskbar on Windows 11

You can now close all your apps from the taskbar on Windows 11 without having to use Task Manager. Learn how to enable or disable End Task in the taskbar on Windows 11 using multiple methods. The End Task in Taskbar feature on Windows 11 allows you to quickly terminate apps directly from the taskbar without having to use Task Manager. In this article, I will demonstrate multiple methods to enable or disable the taskbar end task option on Windows 11. Starting with Windows 11 version 23H2, you can enable and use the End Task option to terminate unresponsive applications directly from the Taskbar. You don’t need to open the task manager on Windows 11 to end the processes any more. Unfortunately, not many users are aware of this extremely helpful feature because it is hidden under the “For Developers” section. There are situations when you have no choice but to use Task Manager to forcefully end your unresponsive apps. In some cases, I noticed that even my task manager was frozen and faile
Read more