Lockout screen and password settings shall be configured for each device

Description

Lockout screen timeouts should be configured for a certain number of minutes of activity for all device platforms. Password complexity requirements should be enforced and users should be prompted to change their password if it does not meet corporate requirements. In Intune, the location to configure these settings varies depending on the platform.

Windows: Security Baselines (Device Lock, Local Policies Security Options), Configuration Profiles (Device Restrictions: Password)

macOS: Compliance Policy (System Security)

iOS: Compliance Policy (System Security)

Android: Compliance Policy (System Security)

Policy

  • All supported devices have configuration settings defined/enforced for lockout screen timeouts and passwords

Licensing Considerations

• Any tenant with Intune licensing can access this setting.

Set-Up Instructions

Windows Security Baselines: Create security baseline profiles in Microsoft Intune | Microsoft Learn

  1. Under Device Lock set the password requirements

  2. Under Local Policies Security Options, Set the Minutes of lock screen inactivity until screen save activates policy

macOS Compliancy Policy: macOS device compliance settings in Microsoft Intune | Microsoft Learn

  1. Under System Security, modify the Password requirements and minutes of inactivity before password required

iOS Compliancy Policy: iOS/iPadOS device compliance settings in Microsoft Intune | Microsoft Learn

  1. Under System Security, modify the Password requirements and minutes of inactivity before password required

Android Compliancy Policy: Android Enterprise compliance settings in Microsoft Intune | Microsoft Learn

  1. Under System Security, modify the Password requirements and minutes of inactivity before password required

End-User Impact

Level: Medium

End users who enroll devices into Intune after this policy is enforced may be prompted to update their password if the policy requirements are not met on the device.

Tips

Make sure you don’t have conflicting policies between configuration profiles, security baselines, and compliance policies

PowerShell Scripts

powershell-intune-samples/CompliancePolicy at master · microsoftgraph/powershell-intune-samples (github.com)

powershell-intune-samples/DeviceConfiguration at master · microsoftgraph/powershell-intune-samples (github.com)

Videos

PreviousMobile devices shall only be able to access corporate data through approved client appsNextEncryption shall be required on all devices

Last updated