Authentication (Desktop)

An Authentication configuration enables you to set minimum requirements for password-based user authentication on a device. Do this when you perform the following actions:

Complexity Requirements

Minimum Password Length Select the minimum number of characters a password must have.
Set Password Complexity Enable to set complex passwords for local and Microsoft accounts.

Select a password complexity criteria:

  • Digits Only: The profile supports any password that has a minimum of one digit.
  • Digits and Lowercase Letters: The profile supports any password that has a minimum of one digit and one lowercase letter.
  • Digits Lowercase and Uppercase Letters: The profile supports any password that has a minimum of one digit, one lowercase letter, and one uppercase letter.
    Note: A special character is an uppercase value.

Local accounts support passwords containing Digits Only, Digits and Lowercase Letters and Digits Lowercase and Uppercase Letters. However, local accounts enforce passwords with Digits Lowercase and Uppercase Letters. Irrespective of the 3 profile options, the device exhibits the behavior of the Digits Lowercase and Uppercase Letters profile. See Policy CSP - Device Lock for more information.

Microsoft accounts support passwords containing Digits Only and Digits and Lowercase Letters. Password profiles that are Digits Lowercase and Uppercase Letters are only supported when a user adds a Microsoft account to an existing local account.

To successfully assign the password complexity payload, restart the device after the successful installation of the profile. The installation status is under the Configurations tab in the device detail pop-up. Upon restart, users need to enter the existing password, and then enter a new password that complies with the assigned password complexity profile.
Note: Password complexity supports Windows 10 Version 1803 and onwards.

History

Password Expiry Select this option to enable password expiry.
Expire Password in Enter the number of days before a password expires.
Unique Password Before Reuse Select this option to set the number of unique passwords before reusing an old password.
Number of Unique Passwords Before Reuse Enter the number of unique passwords before reusing an old password.

Enforcement

On the Enforcement tab you set conditions for locking or wiping the device.

Inactivity Before Screen Lock The number of minutes of inactivity on the device before the screen becomes locked, forcing the user to re-enter their password to gain access.

A value of zero indicates that there is no limit.

Failed Password Attempts The limit of failed attempts to unlock the device before it automatically resets and enables BitLocker recovery mode, which makes the data inaccessible but recoverable. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
Note: You must enable BitLocker on the device to enforce this setting.