Detections
Analytics
2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer.The recommended state for this setting is: Enabled.
Rationale:
Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on.
Impact:
None - this is the default behavior.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Enabled:To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Endpoint protection)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Endpoint protection/Local device security options/Accounts
Setting Name: Remote log on without password
Configuration: Block
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Note #2: This setting can also be created via a Custom Configuration Profile using the following OMA-URI:
Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
Data type: Integer
Value: 1
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Default Value:
Enabled.
See Also
Item Details
Audit Name: CIS Microsoft Intune for Windows 10 v1.1.0 L1
References: CSCv7|4.4
Plugin: Windows
Control ID: fe6dc50bea11b2e50a4742d4fb76330179878b9e01b5646bf4c8c7956764ea9e