Remove the Ability of Users to Change Passwords with Intune
While security professionals have traditionally recommended that users change their passwords regularly, this mantra is no longer considered a best practice. In fact, there are valid reasons why an organization may choose to even remove the ability for users to change passwords altogether. By restricting password changes, organizations can ensure that password resets and updates are centrally managed and controlled, aligning with their security policies and compliance requirements.
One scenario where restricting password changes can be beneficial is in educational institutions where student usernames are required to contain assigned student ID numbers. Allowing students to change their passwords could lead to inconsistencies and potential issues with account management.
Other examples include environments where shared accounts are used where permitting individual users to change passwords can lead to confusion, disruption, and potential security risks. By removing this ability, organizations can ensure that shared account passwords are managed centrally and consistently.
Some organizations may already have established password management solutions or processes in place, such as Local Administrator Password Solution (LAPS) or third-party password management tools. In these cases, removing the ability for users to change passwords through Intune can help prevent conflicts or inconsistencies with these existing solutions, ensuring a streamlined and cohesive password management approach.
Creating the Necessary Intune Configuration Profile
To prevent users from changing their passwords using the Microsoft Intune admin center go to Devices > Configuration and create a new policy. Select ‘Windows 10 and later’ as the platform and choose ‘Administrative Templates’ as the profile type. Then name the profile and proceed to configuration settings.
You will find the appropriate settings in User Configuration > System > Ctrl+Alt+Del Options and enable ‘Remove Change Password” as shown in the screenshot below.
While restricting the ability for users to change passwords can address certain challenges, it is recommended that organizations carefully evaluate their specific requirements, security policies, and existing processes before implementing such a policy. They should consider any potential complexity issues in terms of password management and user experience that it may introduce.
Comments (0)