1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)'

Information

This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days.

Note: All recommendations in Section 1.1 (Password Policy) are only applied to Local and Microsoft accounts and not Domain accounts. For more information, please see the references section below.

The recommended state for this setting is: 1 or more day(s).

Rationale:

Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords are compromised and if an attacker is targeting a specific individual's user account, with foreknowledge of data about that user, reuse of old passwords can cause a security breach. To address password reuse a combination of security settings is required. Using this policy setting with the Enforce password history setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history setting to ensure that users cannot reuse any of their last 12 passwords, they could change their password 13 times in a few minutes and reuse the password they started with, unless you also configure the Minimum password age setting to a number that is greater than 0. You must configure this policy setting to a number that is greater than 0 for the Enforce password history setting to be effective.

Impact:

If an administrator sets a password for a user but wants that user to change the password when the user first logs on, the administrator must select the User must change password at next logon check box, or the user will not be able to change the password until the next day.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to 1 or more day(s):

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Custom)

Enter a Name

Click Add

Enter the Details below

Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordAge
Data type: Integer
Value: 1 or more day(s)

Select Save

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Note #2: This setting can also be created via a Custom Configuration Profile using the following OMA-URI:

./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordAge

Note #3: This setting can also be created via the Settings Catalog via the following path:

Device Lock\Min Device Password Length\Minimum Password Age

Default Value:

1 day on domain members. 0 days on stand-alone workstations.

See Also

https://workbench.cisecurity.org/files/4291