In this blog post, we will explore the process of Enforcing the Password History Policy for users via the Intune admin center. The Enforce Password History policy dictates the minimum number of unique new passwords required to be associated with a user account before an old password can be reused.
Allowing users to reuse the same passwords over an extended period can pose security risks, making it easier for attackers to guess the password. A lower setting for Enforcing Password History means that the system remembers fewer passwords, allowing users to reuse old passwords multiple times.
Hence, maintaining a higher value for this setting ensures that users do not repeatedly use the same passwords. In Intune, the Settings Catalog includes a parameter known as ‘Device Password History,’ which can be configured with a value of up to 50, although the maximum supported value is 24. Opting for this maximum supported value enhances security by minimizing the risk of password reuse.
Selecting a value greater than 24 will result in an error message. In the Intune admin center, you will find an error code 65000.
Table of Contents
DevicePasswordHistory Policy CSP
The DeviceLock CSP includes a setting called DevicePasswordHistory, which allows you to specify the number of passwords that can be retained in the history and cannot be reused.
For example, a value of 1 indicates that the user cannot use their current password when setting up a new password, while a value of 10 means the user cannot set their password to the current one or any of their previous 9 passwords.
DevicePasswordHistory Policy CSP URI
./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordHistory
Create a Policy to Enforce Password History Using Intune
To create a policy for Enforcing Password History using the Intune admin center, follow below steps:
- Sign in to the Intune admin center
- Click on Devices > Configuration profiles
- Click on Create > New Policy
- Platform: Windows 10 and later
- Profile type: Settings Catalog
Basics Tab
Provide a Name and Description of the profile. For Example:
- Name: Enforce Password History Policy
- Description: This Policy will Enable/Enforce Password History Policy for the Targeted Users
Configuration settings
- Click on + Add settings and then search for “Password history” in the settings picker. Select “Device Lock” category. Then select “Device Password History“.
- Use the toggle switch to enable the ‘Device Password Enabled‘ setting and set the ‘Device Password History‘ to your desired number. For example, if you set the ‘Device Password History‘ to 10, it means that 10 passwords will be remembered, and the user cannot use any of the last 10 passwords when changing the password.
Scope tags
Click on Next.
Assignments
Assign this profile to an Entra Security group containing Windows 10/Windows 11 devices or users. Click on Next to proceed.
Review + create
Review the Summary of device configuration profile settings and click on Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
Monitoring Enforce Password History Policy Status
To monitor the deployment progress of a Device configuration profile, follow below steps:
- Sign in to the Microsoft Intune admin center.
- Click on “Devices” and then select “Configuration profiles“.
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on “View report” to access detailed status report.
Verify DevicePasswordHistory Policy on Target Device
To confirm the successful application of this policy, you can check the logs on the target device. There are two ways to do this: you can review the Event Viewer logs, or you can use the Windows Registry Editor. Let’s explore both these methods:
1. Check Event Viewer Logs
To confirm the successful application of the policy on the target Windows devices, check the Event Viewer logs. Follow these steps to locate the relevant logs in Event Viewer:
- Press the Windows key + R to open the Run dialog box.
- Type
eventvwrand Enter to open the Event viewer console. - Go to Application and Services logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin folder.
- Search for Event ID 813 or 814 and go through the logs to find the one related to the deployment.
2. Check Registry Editor
You can also verify the DevicePasswordHistory registry entry, which is created after deploying this profile via Intune. To confirm, follow these steps:
- Press the Windows key + R to open the Run dialog box.
- Type
regeditand Enter to open the Registry Editor. - Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\<GUID>\default\Device\DeviceLock.
- On the right-hand side, locate a registry entry called DevicePasswordHistory. The value of this entry has been configured to 10 via Intune, and you should see this value correctly reflected in the registry.
To locate the DevicePasswordHistory registry entry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\ in the Registry Editor. Right-click on the providers folder and search for the keyword ‘DevicePasswordHistory‘”.
Tip
Troubleshooting
After configuring and deploying the policy using Intune, it may not be successfully applied. You might encounter Error Code 65000 in the Intune admin center, and upon checking the Event Viewer on the target device, you may observe Event ID 809.
Since the error indicates that the parameter is incorrect, it suggests that the value configured for DevicePasswordHistory is not supported. Try using a different value between 1 and 24 and check again.
MDM PolicyManager: Set policy int, Policy: (DevicePasswordHistory), Area: (DeviceLock), EnrollmentID requesting set: (44032151-C086-4BA8-B340-941A865DE65E), Current User: (Device), Int: (0x32), Enrollment Type: (0x6), Scope: (0x0), Result:(0x80070057) The parameter is incorrect..
