Password Policy Profile
The Password Policy profile allows administrators to set up and customize the device lock policies on enrolled devices. With this profile, administrators can establish rules and criteria for passwords, PINs, or other authentication methods used to unlock devices.
To create a device lock policy and deploy it to the enrolled device(s), follow these steps:
Navigate to the SureMDM web console > Profiles > Windows > Add > Password Policy > Configure.
Enter a Profile Name.
In the Device Password Policy section, enter the following details:
| Settings | Description |
|---|---|
| Device Lock ; | Use this option to enable device lock related features |
| Windows Device Type ; | All - Supports all Windows device types Desktop - Supports all Windows 10 desktop devices |
| Minimum Password Quality | Select a PIN type from the following: Simple Alphanumeric Numeric Any |
| Minimum Device Password Complex Characters | Select an option (complex characters) from the following required for a strong PIN or Password: Digits Only Digits and lowercase letters are required Digits, lowercase letters and uppercase letters are required Digits, lowercase letters, uppercase letters, and special characters are required |
| Minimum Password Length | Devices’ minimum password length |
| Maximum Password Failed Attempts | Number of attempts allowed before the devices’ wipe. |
| Password Expiration (In Days) | Maximum number of days the password will be active after which password expires. |
| Password History | Number of times the previously created password cannot be selected. |
| Maximum Inactivity Time To Device Lock (In Minutes) | Period of inactivity before the devices’ screen locks automatically. |
| Require Password when Device Returns From Idle State | Force the user to input the password every time the device returns from the idle state. Note: This feature is supported only on Windows mobile and holographic devices. |
| Block Automatic Encryption During AADJ | Restrict automatic device encryption during first use when the device is Microsoft Entra ID (formerly Azure Active Directory) Joined (AADJ). Note: This feature is supported only when the device is enrolled through Windows OOBE / Windows Autopilot. |
| Allow Federal Information Processing Standard (FIPS) Policy | Allow federal information processing standard (FIPS) policy. Note: This feature is supported only when the device is enrolled through Windows OOBE / Windows Autopilot. |
| Allow Windows Hello Device Authentication | Allow the use of Windows Hello for authenticating device. Note: This feature is supported only when the device is enrolled through Windows OOBE / Windows Autopilot. |
| Preferred Microsoft Entra ID (formerly Azure Active Directory) Tenant Domain | Enter the Microsoft Entra ID (formerly Azure Active Directory) tenant domain name. The user can sign in without typing the domain name. Note: This feature is supported only when the device is enrolled through Windows OOBE / Windows Autopilot. |
Password Policy does not work for domain-joined devices.
The password must contain alphanumeric and special characters.
The newly created profile will be listed in the Profile List section.
Go back to the Home tab and select the Windows device(s) or group(s).
Click Apply to launch the Apply Job/Profile To Device prompt.
Select the profile under All Jobs/Profiles.
Click Apply in the Apply/Profile To Device prompt.