Set Password Complexity on Windows Accounts

What the password complexity Worklet does

This Automox Worklet™ configures Windows password policies by applying CIS-recommended security settings. The Worklet uses PowerShell commands to set password complexity requirements, enforce minimum password length, establish password history limits, and define password expiration parameters.

The remediation script configures five key password policy settings: password history (number of previous passwords users cannot reuse), maximum password age (days before password must be changed), minimum password age (days before password can be changed), minimum password length (character count), and password complexity (whether passwords must contain uppercase, lowercase, numbers, and symbols).

sdb".

The Worklet also disables the reversible encryption storage setting, preventing passwords from being stored in plaintext-like formats. These policies apply to local accounts on individual endpoints and help prevent unauthorized access to sensitive resources.

Why enforce password complexity policies

Weak passwords are a primary attack vector for unauthorized access to endpoints. By requiring passwords to meet complexity requirements and minimum length standards, you significantly reduce the risk of brute-force attacks and credential compromise. Enforcing password complexity makes passwords harder to guess and crack, protecting your organization from account takeover.

Implementing password policies also helps you meet regulatory requirements. Standards including Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), CyberEssentials, and SOC 2 all mandate strong password policies. By automating policy deployment through this Worklet, you demonstrate compliance with these frameworks during audits and reduce the risk of penalties.

Password history settings prevent users from cycling through the same passwords repeatedly, reducing the impact of compromised credentials. Password expiration policies encourage regular password changes, limiting the window of time a stolen password remains valid. These controls work together to create a comprehensive security posture.

How password complexity enforcement works

1. Evaluation phase: The evaluation script checks the current state of password policies on the endpoint by examining local account policies configured through the net accounts and secedit commands.

2. Remediation phase: The remediation script applies CIS-recommended password policies by configuring password history to twenty-four previous passwords, maximum password age to thirty days, minimum password age to one day, minimum password length to fourteen characters, enables password complexity requirements, and disables reversible encryption storage to prevent plaintext password storage.

Password complexity policy requirements

• Windows 10, Windows 11, Windows Server 2016, or later versions

• Local administrator privileges required on the endpoint

• PowerShell execution enabled with appropriate script execution policy

• Access to net accounts and secedit command-line utilities

• Network share access if using domain-based password policies in addition to local policies

Expected password policy configuration state

After the Worklet runs successfully, Windows endpoints will have standardized password policies enforced. You can verify this change by checking the specific setting this Worklet modifies. Users will be required to create passwords that include uppercase letters, lowercase letters, numbers, and special characters. Passwords must be at least fourteen characters long and cannot match any of the previous twenty-four passwords used by that account. Passwords expire after thirty days, requiring users to change them regularly.

You can verify the configuration by running the net accounts command to view password policy settings or by accessing the Local Group Policy Editor (gpedit.msc) and navigating to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy. These settings apply to local accounts on that endpoint and may differ from domain-level group policies if your organization uses Active Directory.

How to validate set password complexity on windows accounts changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for set password complexity on windows accounts.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.

4. Validate remediation effects from script operations such as Get-Content, Out-File, Remove-Item, then rerun evaluation for compliance.