This article will explain how to Disable Device Password Sync with Microsoft Intune. We will use the Configuration Profile to configure it.
Preventing device password sync is a policy setting that stops the synchronization of passwords between a Windows device and the user’s Microsoft account. If you disable the setting, the “passwords” group won’t be synced. This setting is crucial for organizations that want to enhance security and ensure that sensitive password information is not stored or transmitted outside of their managed environment.
“Sync your settings – Do not sync passwords” is a feature available in Windows operating systems that allows users to synchronize certain settings and preferences across multiple devices linked to the same Microsoft account. This feature primarily aims to provide a consistent experience across devices by syncing settings such as themes, language preferences, browser settings, and more.
However, to enhance security and privacy, Windows can exclude password synchronization while still allowing other settings to sync. This means that users can synchronize most of their settings across devices without compromising the security of their passwords.
Disabling device password sync is a proactive measure to enhance security, ensure compliance, and control sensitive information in a corporate environment. It reduces the risk of unauthorized access, data breaches, and other security threats while simplifying management and incident response efforts.
- Quick and Easy way to Turn on PowerShell Audit using Intune Policy
- Easy Way to Remove Microsoft Teams Personal with Intune
- Intune Logs Event IDs IME Logs Details for Windows Client Side Troubleshooting
- Best Guide to Enable WinSCP Win32 App Supersedence and Auto-Update with Intune
Importance of Disabling Device Password Sync
Disabling device password sync in a corporate environment is a strategic decision that enhances security, ensures compliance, and maintains control over sensitive information. Here are the key reasons for disabling device password sync.
Category | Details |
---|---|
Enhanced Security | Prevent Unauthorized Access: By disabling password sync, you prevent passwords from being stored in or transmitted to less secure personal devices or cloud services, reducing the risk of unauthorized access. Mitigate Data Breaches: Syncing passwords increases the risk of data breaches. Disabling this feature ensures that passwords remain within the confines of secure, managed devices. |
Regulatory Compliance | Data Protection Regulations: Many industries are subject to strict data protection regulations (e.g., GDPR, HIPAA). Disabling password sync helps organizations comply with these regulations by ensuring that sensitive credentials are not inadvertently shared or stored inappropriately. Auditing and Monitoring: Compliance often requires detailed auditing and monitoring of data access and transfer. Disabling password sync simplifies compliance by reducing the number of places where sensitive data is stored and accessed. |
Control and Management | Centralized Management: By preventing password sync, IT departments can ensure that password management is centralized and controlled within the corporate environment. This allows for consistent application of security policies and easier monitoring. Policy Enforcement: Disabling password sync helps enforce organizational policies regarding password management and data security, ensuring that users cannot circumvent these policies by syncing their passwords to personal accounts or devices. |
Risk Mitigation | Limit Exposure: Syncing passwords to multiple devices increases the exposure and potential attack surface. Disabling password sync minimizes this exposure, limiting the potential impact of a compromised device. Reduce Phishing Risks: With passwords not synced to various devices, the risk of phishing attacks targeting synced credentials is reduced, as passwords are only entered and stored on secure, managed devices. |
User Behavior Control | Prevent Weak Password Practices: Users might employ weaker passwords if they know they can sync them across devices for convenience. Disabling sync encourages stronger password practices by requiring users to manage passwords independently on each device. Discourage Personal Device Usage: Disabling password sync discourages users from using personal devices for work purposes, thereby maintaining a clear boundary between personal and professional use and reducing the risk of data leakage. |
Incident Response | Simplified Incident Response: In the event of a security incident, having passwords confined to managed devices simplifies the incident response process. IT teams can focus on securing and investigating a smaller, more controlled environment. Quicker Remediation: If a password needs to be reset or an account needs to be secured, IT teams can act more quickly and effectively if passwords are not distributed across multiple devices and platforms. |
Create Configuration Profile to Disable Device Password Sync with Intune
Follow the below-mentioned steps to create a configuration policy to Disable Device Password Sync with Microsoft Intune. Log In to the Microsoft Intune Admin Center using your administrator credentials.
- Navigate to Devices > Windows > Configuration Profiles
- Click on +Create > +New Policy
In the next step, we can create a new Configuration Profile starting from scratch. For that, give the below options as mentioned.
- Platform: Windows 10 and later
- Profile type: Settings catalog
On the Basics details page, we can name the Configuration profile “Disable Device Password Sync.” If needed, provide a brief policy description and click Next.
We can now add the required settings to the Configuration Settings pane. To do so, click on +Add settings in the bottom left corner of the page.
Note! Microsoft has discovered that Intune admins may experience performance degradation when more than 400 settings are added to a single policy. While we continue to make improvements, please take this into consideration when designing your policies.
Search for “Sync your Settings” as a keyword. This will help you find the correct policy based on our current needs. Now you can see the “Administrative Templates\Windows Components\Sync your Settings” under the Browse by category. Click on that and pick the settings below.
- Do not sync passwords
- Allow users to turn “passwords” syncing on. (Device)
Note! Prevent the “passwords” group from syncing to and from this PC. This turns off and disables the “passwords” group on the “sync your settings” page in PC settings. If you enable this policy setting, the “passwords” group will not be synced. Use the option “Allow users to turn passwords syncing on” so that syncing it turned off by default but not disabled. If you do not set or disable this setting, syncing of the “passwords” group is on by default and configurable by the user.
Close the Settings picker window, toggle the “Do not sync password” option as Enabled and let “Allow users to turn “passwords” syncing on. (Device) as default (False). Click on Next
On the next page, Leave the Scope tags as Default. If you have any custom scope tags available, you can also select that for this deployment.
Click on Next and assign the configured policy to HTMD – Test Computers. In the Included Groups option, click on Add Groups and select the required device group.
On the Review + Create page, carefully review all the settings you’ve defined for the Disable Device Password Sync policy. Select Create to implement the changes once you’ve confirmed everything is correct.
Monitor the Disable Device Password Sync Policy in Intune
This particular policy has been deployed to the Microsoft Entra ID group (HTMD – Test Computers). The policy will take effect as soon as possible once the device is synced. To monitor the policy deployment status from the Intune Portal, follow the below-mentioned steps.
- Navigate to Devices > Windows > Configuration Profiles > Search for the “Disable Device Password Sync” policy.
- Under the Device and user check-in status, you can see the deployment status for the policy.
End User Experience – Disable Device Password Sync Policy
Now, we have to check whether the Disable Device Password Sync policy is working fine or not. Log on to one of the policy-targeted devices. This time we can check the policy status via Intune Event Logs. Open Event Viewer from the device.
- Navigate to Applications and Services Logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider – Admin
Here are the latest logs for the Disable Device Password Sync policy. You can also filter the logs with “DisableCredentialsSettingSync” as a keyword, making them easy to find. We can also analyse the step-by-step logs in detail for more information about the targeted policy.
The screenshot below shows that the policy is successfully applied to the system!
I appreciate you taking the time to read my article. I’m excited to see you in the upcoming post. Continue to support the HTMD Community.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Vaishnav K has over 10+ years of experience in SCCM, Device Management, and Automation Solutions. He writes and imparts his knowledge about Microsoft Intune, Azure, PowerShell scripting, and automation. Check out his profile on LinkedIn.