Policy CSP - DeviceLock
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>
. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
Important
The DeviceLock CSP utilizes the Exchange ActiveSync Policy Engine. When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see Password length and complexity supported by account types.
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutPolicy
Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account can't be used until it's reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0 Account lockout duration - This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowAdministratorLockout
Allow Administrator account lockout This security setting determines whether the builtin Administrator account is subject to account lockout policy.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-1] |
Default Value | 1 |
Group policy mapping:
Name | Value |
---|---|
Name | Allow Administrator account lockout |
Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
❌ Pro ❌ Enterprise ❌ Education ❌ Windows SE ❌ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowIdleReturnWithoutPassword
Specifies whether the user must input a PIN or password when the device resumes from an idle state.
Note
Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition.
Note
This policy must be wrapped in an Atomic command.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 1 |
Dependency [DeviceLock_AllowIdleReturnWithoutPassword_DependencyGroup] | Dependency Type: DependsOn Dependency URI: Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled Dependency Allowed Value: [0] Dependency Allowed Value Type: Range |
Allowed values:
Value | Description |
---|---|
0 | Not allowed. |
1 (Default) | Allowed. |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowScreenTimeoutWhileLockedUserConfig
Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
1 | Allow. |
0 (Default) | Block. |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowSimpleDevicePassword
Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords.
For more information about this policy, see Exchange ActiveSync Policy Engine Overview.
Note
This policy must be wrapped in an Atomic command.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 1 |
Dependency [DeviceLock_AllowSimpleDevicePassword_DependencyGroup] | Dependency Type: DependsOn Dependency URI: Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled Dependency Allowed Value: [0] Dependency Allowed Value Type: Range |
Allowed values:
Value | Description |
---|---|
0 | Not allowed. |
1 (Default) | Allowed. |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/AlphanumericDevicePasswordRequired
Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0.
Note
If AlphanumericDevicePasswordRequired is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1. If AlphanumericDevicePasswordRequired is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
Note
This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education).
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 2 |
Dependency [DeviceLock_AlphanumericDevicePasswordRequired_DependencyGroup] | Dependency Type: DependsOn Dependency URI: Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled Dependency Allowed Value: [0] Dependency Allowed Value Type: Range |
Allowed values:
Value | Description |
---|---|
0 | Password or Alphanumeric PIN required. |
1 | Password or Numeric PIN required. |
2 (Default) | Password, Numeric PIN, or Alphanumeric PIN required. |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/ClearTextPassword
Store passwords using reversible encryption This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It's also required when using Digest Authentication in Internet Information Services (IIS).
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-1] |
Default Value | 0 |
Group policy mapping:
Name | Value |
---|---|
Name | Store passwords using reversible encryption |
Path | Windows Settings > Security Settings > Account Policies > Password Policy |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled
Specifies whether device lock is enabled.
Note
This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions.
Important
The DevicePasswordEnabled setting must be set to 0 (device password is enabled) for the following policy settings to take effect:
- AllowSimpleDevicePassword
- MinDevicePasswordLength
- AlphanumericDevicePasswordRequired
- MaxDevicePasswordFailedAttempts
- MaxInactivityTimeDeviceLock
- MinDevicePasswordComplexCharacters
If DevicePasswordEnabled is set to 0 (device password is enabled), then the following policies are set:
- MinDevicePasswordLength is set to 4
- MinDevicePasswordComplexCharacters is set to 1
If DevicePasswordEnabled is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0:
- MinDevicePasswordLength
- MinDevicePasswordComplexCharacters
DevicePasswordEnabled should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for backward compatibility with Windows 8.x. If DevicePasswordEnabled is set to Enabled(0) then Policy CSP will return an error stating that DevicePasswordEnabled already exists. Windows 8.x did not support DevicePassword policy. When disabling DevicePasswordEnabled (1), it should be the only policy set from the DeviceLock group of policies listed below:
- AllowSimpleDevicePassword
- MinDevicePasswordLength
- AlphanumericDevicePasswordRequired
- MinDevicePasswordComplexCharacters
- DevicePasswordExpiration
- DevicePasswordHistory
- MaxDevicePasswordFailedAttempts
- MaxInactivityTimeDeviceLock
Note
DevicePasswordExpiration isn't supported through MDMWinsOverGP.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 1 |
Allowed values:
Value | Description |
---|---|
0 | Enabled. |
1 (Default) | Disabled. |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordExpiration
Specifies when the password expires (in days).
If all policy values = 0, then 0; otherwise, Min policy value is the most secure value.
For more information about this policy, see Exchange ActiveSync Policy Engine Overview.
Note
This policy must be wrapped in an Atomic command.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-730] |
Default Value | 0 |
Dependency [DeviceLock_DevicePasswordExpiration_DependencyGroup] | Dependency Type: DependsOn Dependency URI: Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled Dependency Allowed Value: [0] Dependency Allowed Value Type: Range |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordHistory
Specifies how many passwords can be stored in the history that can't be used.
The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords.
Max policy value is the most restricted.
For more information about this policy, see Exchange ActiveSync Policy Engine Overview.
Note
This policy must be wrapped in an Atomic command.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-50] |
Default Value | 0 |
Dependency [DeviceLock_DevicePasswordHistory_DependencyGroup] | Dependency Type: DependsOn Dependency URI: Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled Dependency Allowed Value: [0] Dependency Allowed Value Type: Range |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/EnforceLockScreenAndLogonImage
Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users won't be able to change this image. Value type is a string, which is the full image filepath and filename.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/EnforceLockScreenProvider
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxDevicePasswordFailedAttempts
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
Note
This policy must be wrapped in an Atomic command. This policy has different behaviors on the mobile device and desktop. On a mobile device, when the user reaches the value set by this policy, then the device is wiped. On a desktop, when the user reaches the value set by this policy, it isn't wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker isn't enabled, then the policy can't be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see Exchange ActiveSync Policy Engine Overview.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-999] |
Default Value | 0 |
Dependency [DeviceLock_MaxDevicePasswordFailedAttempts_DependencyGroup] | Dependency Type: DependsOn Dependency URI: Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled Dependency Allowed Value: [0] Dependency Allowed Value Type: Range |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaximumPasswordAge
This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.
Note
It's a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-999] |
Default Value | 42 |
Group policy mapping:
Name | Value |
---|---|
Name | Maximum password age |
Path | Windows Settings > Security Settings > Account Policies > Password Policy |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
Note
This policy must be wrapped in an Atomic command.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-999] |
Default Value | 0 |
Dependency [DeviceLock_MaxInactivityTimeDeviceLock_DependencyGroup] | Dependency Type: DependsOn Dependency URI: Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled Dependency Allowed Value: [0] Dependency Allowed Value Type: Range |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
❌ Pro ❌ Enterprise ❌ Education ❌ Windows SE ❌ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
Sets the maximum timeout value for the external display.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [1-999] |
Default Value | 0 |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordComplexCharacters
The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
The following list shows the supported values and actual enforced values:
Account Type | Supported Values | Actual Enforced Values |
---|---|---|
Local Accounts | 1,2,3 | 3 |
Microsoft Accounts | 1,2 | <p2 |
Domain Accounts | Not supported | Not supported |
Enforced values for Local and Microsoft Accounts:
- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
- Passwords for local accounts must meet the following minimum requirements:
- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Special characters (!, $, #, %, etc.)
The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
For more information about this policy, see Exchange ActiveSync Policy Engine Overview and KB article.
Note
This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 1 |
Dependency [DeviceLock_MinDevicePasswordComplexCharacters_DependencyGroup] | Dependency Type: DependsOn DependsOn Dependency URI: Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled Device/Vendor/MSFT/Policy/Config/DeviceLock/AlphanumericDevicePasswordRequired Dependency Allowed Value: [0] [0] Dependency Allowed Value Type: Range Range |
Allowed values:
Value | Description |
---|---|
1 (Default) | Digits only. |
2 | Digits and lowercase letters are required. |
3 | Digits lowercase letters and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. |
4 | Digits lowercase letters uppercase letters and special characters are required. Not supported in desktop. |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength
Specifies the minimum number or characters required in the PIN or password.
Max policy value is the most restricted.
For more information about this policy, see Exchange ActiveSync Policy Engine Overview and KB article.
Note
This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [4-16] |
Default Value | 4 |
Dependency [DeviceLock_MinDevicePasswordLength_DependencyGroup] | Dependency Type: DependsOn Dependency URI: Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled Dependency Allowed Value: [0] Dependency Allowed Value Type: Range |
Example:
The following example shows how to set the minimum password length to 4 characters.
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>4</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordAge
This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting doesn't follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user doesn't have to choose a new password. For this reason, Enforce password history is set to 1 by default.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-998] |
Default Value | 1 |
Group policy mapping:
Name | Value |
---|---|
Name | Minimum password age |
Path | Windows Settings > Security Settings > Account Policies > Password Policy |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordLength
This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting depends on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting isn't defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required.
Note
By default, member computers follow the configuration of their domain controllers. Default values: 7 on domain controllers 0 on stand-alone servers Configuring this setting larger than 14 may affect compatibility with clients, services, and applications. We recommend that you only configure this setting larger than 14 after you use the Minimum password length audit setting to test for potential incompatibilities at the new setting.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-128] |
Default Value | 0 |
Group policy mapping:
Name | Value |
---|---|
Name | Minimum password length |
Path | Windows Settings > Security Settings > Account Policies > Password Policy |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordLengthAudit
This security setting determines the minimum password length for which password length audit warning events are issued. This setting may be configured from 1 to 128. You should only enable and configure this setting when you try to determine the potential effect of increasing the minimum password length setting in your environment. If this setting isn't defined, audit events won't be issued. If this setting is defined and is less than or equal to the minimum password length setting, audit events won't be issued. If this setting is defined and is greater than the minimum password length setting, and the length of a new account password is less than this setting, an audit event will be issued.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [1-128] |
Default Value | 4294967295 |
Group policy mapping:
Name | Value |
---|---|
Name | Minimum password length audit |
Path | Windows Settings > Security Settings > Account Policies > Password Policy |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/PasswordComplexity
Password must meet complexity requirements. This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements:
- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-1] |
Default Value | 1 |
Group policy mapping:
Name | Value |
---|---|
Name | Password must meet complexity requirements |
Path | Windows Settings > Security Settings > Account Policies > Password Policy |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/PasswordHistorySize
Enforce password history This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords aren't reused continually. Default: 24 on domain controllers. 0 on stand-alone servers.
Note
By default, member computers follow the configuration of their domain controllers. To maintain the effectiveness of the password history, don't allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-24] |
Default Value | 24 |
Group policy mapping:
Name | Value |
---|---|
Name | Enforce password history |
Path | Windows Settings > Security Settings > Account Policies > Password Policy |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventEnablingLockScreenCamera
Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.
By default, users can enable invocation of an available camera on the lock screen.
If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera can't be invoked on the lock screen.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | CPL_Personalization_NoLockScreenCamera |
Friendly Name | Prevent enabling lock screen camera |
Location | Computer Configuration |
Path | Control Panel > Personalization |
Registry Key Name | Software\Policies\Microsoft\Windows\Personalization |
Registry Value Name | NoLockScreenCamera |
ADMX File Name | ControlPanelDisplay.admx |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventLockScreenSlideShow
Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
By default, users can enable a slide show that will run after they lock the machine.
If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | CPL_Personalization_NoLockScreenSlideshow |
Friendly Name | Prevent enabling lock screen slide show |
Location | Computer Configuration |
Path | Control Panel > Personalization |
Registry Key Name | Software\Policies\Microsoft\Windows\Personalization |
Registry Value Name | NoLockScreenSlideshow |
ADMX File Name | ControlPanelDisplay.admx |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/RelaxMinimumPasswordLengthLimits
This setting controls whether the minimum password length setting can be increased beyond the legacy limit of 14. If this setting isn't defined, minimum password length may be configured to no more than 14. If this setting is defined and disabled, minimum password length may be configured to no more than 14. If this setting is defined and enabled, minimum password length may be configured more than 14.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
0 (Default) | Disabled. |
1 | Enabled. |
Group policy mapping:
Name | Value |
---|---|
Name | Relax minimum password length |
Path | Windows Settings > Security Settings > Account Policies > Password Policy |
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/DeviceLock/ScreenTimeoutWhileLocked
Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [10-1800] |
Default Value | 10 |