This article explains how you can enforce password history policy using Intune. Using the Configuration Profile in Intune, you can implement device password history for Windows users to curb password reuse.
According to Microsoft, the enforce password history policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused. You can use either Microsoft Intune or GPO to enforce the password history policy for users.
Most organizations configure their password policies in a way that prevents users from reusing their old passwords. The practice of reusing passwords is a significant problem for any organization because many users want to continue using the same password for an extended period of time.
The longer a password is used for an account, the greater the likelihood that an attacker will be able to figure it out through brute-force attacks. If users are required to change their password but are allowed to continue using the same password, the effectiveness of a strong password policy is significantly diminished.
The Settings catalog in Intune lets you configure the device password history setting and specify how many passwords can be stored in the history that can’t be used. The default value is ‘0‘ and the maximum value that you set is 50.
What does enforcing password history mean?
In simple words, the enforce password history policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused.
Microsoft recommends setting the Enforce password history to 24. This setting will assist in reducing vulnerabilities brought on by password reuse. In addition, to maintain the effectiveness of this policy setting, Microsoft recommends using the Minimum password age setting to prevent users from repeatedly changing their password.
Risk associated with device password history
A hacker has a greater chance of figuring out the password if the user continues to use the same password for an extended period of time. It is possible for the password history feature to have a limit, beyond which you will not be able to use any password that you have previously configured.
Users can use the same small number of passwords repeatedly if they specify a low number for the Enforce password history service. Users can change their password as many times as they need to reuse their initial password if you do not also set a minimum age requirement for setting a password.
DevicePasswordHistory Policy CSP in Intune
The Policy CSP – DeviceLock offers a new setting called DevicePasswordHistory that specifies how many passwords can be stored in the history that can’t be used. It is important to note that the value that you specify includes the user’s current password.
If you are confused here, let’s understand device password history with an example.
- If your DevicePasswordHistory value is set to 1, it means the user can’t reuse their current password when choosing a new password.
- If your DevicePasswordHistory value is set to 8, it means that a user can’t set their new password to their current password or any of their previous seven passwords.
If you plan to use the DevicePasswordHistory Policy CSP in Intune to enforce the password history, make use of the below CSP URI.
./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordHistory
Enforce Password History Policy using Intune
Perform the below steps to create a policy to enforce the password history using Intune for Windows users:
- Sign in to the Microsoft Intune admin center.
- Select Devices > Windows > Configuration Profiles.
- Click on Create > New Policy to set up a new policy.
- Make the following selections on the Create a Profile pane:
- Platform: Windows 10 and later
- Profile type: Settings Catalog
On the Basics tab, specify the policy name and a brief description of the policy. This will make it easier for other Intune administrators to find this profile.
- Name: Enforce Password History Policy
- Description: Enforce Password History Policy for Windows Users using Intune
Click Next.
In the Configuration Settings section, under Settings Catalog, click Add Settings. On the Settings picker window, type “device password history” in the search box and click Search. From the search results, select the Device Lock category.
In the bottom pane, select the option “Device Password History,” which lets you configure the password history. Close the Settings Picker window.
Under the Device Lock category, configure the following:
- Device Password Enabled: By default, this setting is off. Enable it by moving the slider to the right.
- Device Password History: In the below example, we have specified a value of 8. This means that a user can’t set their new password to their current password or any of their previous seven passwords.
Click on Next to continue.
On the scope tags tab, you may specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.
In the Assignments tab, specify the Entra ID groups to assign the policy. We recommend deploying the profile to a few test groups first and then expanding it to more groups if the testing is successful. Select Next.
Finally, on the Review+Create tab, take a look at all the settings you’ve configured for enforcing the password history policy with Intune. Click Create.
After you create the above configuration policy in Intune, the following notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The newly created configuration profile appears in Intune’s list of configuration profiles.
Run Intune Sync on Windows devices
To receive the above policy settings from Intune, the Windows devices must be enrolled in Microsoft Intune, and most importantly, they must be online. Regularly, the devices will synchronize with Intune to obtain the most recent policies.
To speed up the policy assignments, you can force sync Intune policies using different methods on your Windows computers to download the latest policies from Microsoft Intune.
Also Read: How to sync Intune policies on Mac devices
Monitor the Enforce Password History Policy Assignment
While the policy settings are being applied to Windows devices, you can monitor the devices and users that have successfully received the enforce password history policy settings in Intune.
In the Intune admin center, select the policy and review the device and user check-in status. Under “Device and user check-in status,” you get to see the total number of devices and users who successfully received the policy settings.
To view the device names that have successfully received the policy settings, click on View Report.
In some cases, the Intune policy may fail to apply to certain users or devices. To resolve the issues, we recommend reviewing Intune logs on Windows computers.
Verify DevicePasswordHistory Policy on Windows Devices
In this section, we will demonstrate various methods for determining whether the device password history policy applied through Intune has been successfully applied to our target devices.
You can check to see if Intune has enforced the device password history settings on your Windows devices using one of two methods:
- Windows Event Viewer
- Windows Registry
Windows Event Viewer
The event viewer IDs 813 and 814 indicate whether Intune has successfully applied the device password history policy settings. The Intune MDM event logs can be viewed on client devices using the Event viewer.
Launch the event viewer on the Windows device by running the shortcut command eventvwr. Next, browse the following path in the event viewer to view Intune MDM event logs:
Application and Services Logs: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Once you have navigated to the above path in Event Viewer, you may filter the current log with ‘Event ID 813.’ This will give you quick access to the event logs that you’re looking for. In the screenshot below, the event ID 813 confirms that the Windows device has successfully received the DevicePasswordHistory policy settings from Intune.
MDM PolicyManager: Set policy int, Policy: (DevicePasswordHistory), Area: (DeviceLock), EnrollmentID requesting merge: (1F8A61D5-C483-45C6-A23B-5EC8C599E5F0), Current User: (Device), Int: (0x8), Enrollment Type: (0x6), Scope: (0x0).
Windows Registry
In this method, we will check the Windows Registry to confirm if the device password history policy has been applied through Intune on a Windows device. Most of the changes you make to the Windows operating system are stored in the registry. The device password history settings applied via Intune reflect in the registry, provided the device has successfully received the policy settings.
Launch the registry editor on the Windows device and navigate to the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\1F8A61D5-C483-45C6-A23B-5EC8C599E5F0\default\Device\DeviceLock
On the right-hand side, you’ll find several registry entries for the device lock policy. Among them, look for the registry entry named “DevicePasswordHistory.” The value of this DevicePasswordHistory registry entry is set to 8, which matches what we specified in the device lock policy settings in Intune. This demonstrates that you can use the Windows registry to check whether the device’s password history settings are applied via Intune.
