Best Way to Enforce Password History Policy using Intune

This article aims to guide you through the implementation of the Enforce Password History Policy using Intune. We will utilize Intune’s Configuration Profiles to apply this policy, emphasizing a hands-on approach to enhance your understanding of the Enforce Password History Policy through practical experience.

Enforce Password History Policy configuration dictates the quantity of newly generated, distinct passwords linked to a user account before the reuse of a previous password is permitted. The acceptable range for this policy spans from 0 to 24 passwords.

While the default value for Windows Vista is 0 passwords, the domain default is set to 24 passwords. To uphold the efficacy of this policy, it is advisable to employ the Minimum password age setting, thereby deterring users from frequently altering their passwords.

As the duration of a user retaining the same password increases, so does the vulnerability to potentially brute force attacks by attackers attempting to decipher the password. Additionally, any compromised accounts will continue to be susceptible as long as the password remains unchanged.

Patch My PC

If mandatory password changes are enforced without preventing password reuse, or if users persistently recycle a limited set of passwords, the effectiveness of a robust password policy is significantly diminished.

Enforce Password History Policy Using Intune Fig.1
Enforce Password History Policy Using Intune Fig.1

Windows CSP Details DevicePasswordHistory

We will see Windows CSP Details for this Policy setting DevicePasswordHistory. The primary consequence of this configuration is that users need to generate a new password each time they are prompted to change their existing one. When users are mandated to switch to new, unique passwords, the likelihood of them noting down their passwords to avoid forgetting them increases.

There is also a risk that users may craft passwords with incremental changes (e.g., password01, password02, etc.) for ease of memorization, inadvertently making them more susceptible to guessing. Moreover, setting an excessively low value for the Minimum password age could lead to heightened administrative burdens, as users who forget their passwords may frequently seek help desk assistance for resets.

CSP URI – ./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordHistory

Adaptiva
Enforce Password History Policy Using Intune Fig.2
Enforce Password History Policy Using Intune Fig.2

Enforce the Password History Policy using Intune

Enforce the Password History Policy Using Intune, follow the steps stated below:

  • Sign in to the Intune Admin Center portal https://intune.microsoft.com/.
  • Select Devices > Windows > Configuration profiles > Create a profile.

In Create Profile, I select Windows 10 and later in Platform, and select Profile Type as Settings catalog. Click on the Create button.

PlatformProfile Type
Windows 10 and laterSettings Catalog
Table 1 – Enforce Password History Policy Using Intune
Enforce Password History Policy Using Intune Fig.3
Enforce Password History Policy Using Intune Fig.3

On the Basics tab pane, I provide a name for the policy as “Enforce Password History Policy.” Optionally, if you want, you can enter a policy description and proceed by selecting “Next“.

Enforce Password History Policy Using Intune Fig.4
Enforce Password History Policy Using Intune Fig.4

Now in Configuration Settings, click Add Settings to browse or search the catalog for the settings I want to configure.

Enforce Password History Policy Using Intune Fig.5
Enforce Password History Policy Using Intune Fig.5

In the Settings Picker windows, I searched for the keyword Password History, I found the category Device Lock and selected this.

When I select that option as stated above, I see the sub-category Device Password History. After selecting that, click the cross mark at the right-hand corner, as shown below.

Enforce Password History Policy Using Intune Fig.6
Enforce Password History Policy Using Intune Fig.6

Here I enable the Device Password Enabled option. After enabling this, another option of Device Password History pops up. Here I enter the value 5. It means one can only repeat their password after using 5 different passwords.

Enforce Password History Policy Using Intune Fig.7
Enforce Password History Policy Using Intune Fig.7

Using Scope tags, you can assign a tag to filter the profile to specific IT groups. One can add scope tags (if required) and click Next to continue. Now in Assignments, in Included Groups, you need to click on Add Groups, choose Select Groups to include one or more groups, and click Next to continue.

Enforce Password History Policy Using Intune Fig.8
Enforce Password History Policy Using Intune Fig.8

In the Review + Create tab, I review settings. After clicking on Create, changes are saved, and the profile is assigned.

Enforce Password History Policy Using Intune Fig.9
Enforce Password History Policy Using Intune Fig.9

After successfully creating the “Enforce Password History Policy,” a notification will appear in the top right-hand corner confirming the action. You can also verify the policy’s existence by navigating to the Configuration Profiles list, where it will be prominently displayed.

Your groups will receive your profile settings when the devices check in with the Intune service. The Policy applies to the device.

Intune Report for Enforce Password History Policy

From the Intune Portal, you can view the Intune settings catalog profile report, which provides an overview of device configuration policies and deployment status.

To track the assignment of the policy, you need to select the relevant policy from the Configuration Profiles list. Then, you can review the device and user check-in status to determine whether the policy has been successfully applied. If you require more detailed information, you can click on “View Report” to access additional insights.

Enforce Password History Policy Using Intune Fig.10
Enforce Password History Policy Using Intune Fig.10

Intune MDM Event Log

To verify the successful implementation of String or integer policies on Windows 10 or 11 devices through Intune, you can leverage event IDs 813 and 814. These event IDs provide valuable insights into the application status of the policy as well as the specific value assigned to the policy on those devices. In the case of this particular policy, the value is an Integer and is linked to the event ID 813.

By analyzing these event IDs, you can gain a clear understanding of the policy’s application status and the corresponding value associated with it on the devices in question.

To confirm this, you can check the Event log path – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.

MDM PolicyManager: Set policy string, Policy: (DevicePasswordHistory), Area: (DeviceLock), EnrollmentID requesting merge: (5B88AEF1-09E8-43BB-B144-7254ACBBDF3E), Current User: (Device), Int: (0x5), Enrollment Type: (0x6), Scope: (0x0).

Enforce Password History Policy Using Intune Fig.11
Enforce Password History Policy Using Intune Fig.11

When I opened the above Event log, I found that the policy I have applied to the device has been successfully implemented. By reviewing the log entry shown in the above image, the Event Viewer, I came across essential information, including the Area and Enrollment ID. These details play a significant role in identifying the corresponding registry path. To locate the specific information, please consult the table provided below:

AreaPolicyIntegerScopedEvent ID
DeviceLockDevicePasswordHistory5Device813
Table 2 – Enforce Password History Policy Using Intune

The details presented in the table above for the Enforce Password History Policy Using Intune can be employed to access the registry settings that hold the group policy configurations on a specific computer. To accomplish this, you can execute “REGEDIT.exe” on the target computer and navigate to the precise registry path where these settings are stored.

  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\5B88AEF1-09E8-43BB-B144-7254ACBBDF3E\default\Device\DeviceLock

When you navigate the above path in the Registry Editor, you will find the registry key named DevicePasswordHistory. Also, when I navigated to the above path, I saw that the Registry Key was created successfully.

Registry NameValue
DevicePasswordHistoryEnabled
Table 3 – Enforce Password History Policy Using Intune
Enforce Password History Policy Using Intune Fig.12
Enforce Password History Policy Using Intune Fig.12

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click hereHTMD WhatsApp.

Author

Abhinav Rana is working as an SCCM Admin. He loves to help the community by sharing his knowledge. He is a B.Tech graduate in Information Technology.

1 thought on “Best Way to Enforce Password History Policy using Intune”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.