Set Password Complexity on Windows Accounts

What the password policy hardener does

This Automox Worklet™ hardens the local password policy on Windows workstations and member servers. The Worklet drives net accounts to set password history, minimum length, minimum age, and maximum age. It then runs two separate secedit cycles – one to rewrite PasswordComplexity and one to rewrite ClearTextPassword – each exporting the local security database, patching the value in the .cfg file, and re-importing with secedit /configure. The result is a uniform local Account Policy that matches the CIS Benchmark recommendations for Windows 10, Windows 11, and Windows Server.

Six parameters are exposed on the policy and ship with CIS-aligned defaults: pwhistory = 24, maxpwagedays = 30, minpwagedays = 1, minpwlenchar = 14, PasswordComplexity = 1 (enabled), and ClearTextPassword = 0 (reversible storage disabled). Override any of them in the Automox console to match a stricter internal standard or an attestation-specific baseline.

The Worklet runs on local accounts only. On a domain-joined endpoint, Group Policy from Active Directory still wins for domain users – use this Worklet for non-domain laptops, kiosk and lab images, member servers with break-glass local accounts, and any standalone host that does not inherit a domain password GPO. It is Run Now-compatible, so an admin can trigger immediate enforcement on a specific endpoint from the Automox console without waiting for the next scheduled run.

Why enforce password complexity at the local account layer

Weak local credentials are still the path of least resistance into a Windows fleet. Local administrator accounts on field laptops, lab equipment, and member servers routinely fall outside the domain password GPO, and CIS Benchmark control 1.1 (Password Policy) is one of the most frequently failed controls in third-party audits. A 14-character MinimumPasswordLength combined with PasswordComplexity = 1 raises the cost of brute force and credential-stuffing attacks against those local accounts. Disabling ClearTextPassword closes the reversible-encryption escape hatch that lets stored credentials be recovered with a domain compromise.

The local security policy is one of the easier surfaces to lose on Windows. A single image rebuild, a forgotten OOBE script, or an old MDT task sequence can ship endpoints with the platform defaults of PasswordComplexity disabled and MinimumPasswordLength = 0, and secedit /configure runs in package post-installers can quietly revert a hand-edited inf without surfacing in any log. The Worklet exports the running config with secedit /export on every evaluation, parses both values, and re-applies the policy when either has drifted. The catalog defines the desired state once; the Worklet keeps the running configuration aligned across every endpoint under Automox management.

How local password policy enforcement works

1. Evaluation phase: The evaluation script exits 1 unconditionally, flagging every endpoint as non-compliant on every run. This ensures the remediation phase always reapplies the full policy rather than relying on a drift check.

2. Remediation phase: The script runs four net accounts commands: /uniquepw:24, /maxpwage:30, /minpwage:1, and /minpwlen:14. It then applies two secedit cycles in sequence. The first cycle exports the policy with secedit /export /cfg c:\secpol.cfg, rewrites PasswordComplexity using Get-Content and Out-File, re-imports with secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY, and removes c:\secpol.cfg with Remove-Item -Force. The second cycle repeats the same export-rewrite-import-delete sequence for the ClearTextPassword value. Exit code 0 from each secedit call indicates success; any non-zero exit code surfaces in Automox activity logs as a remediation failure.

Password policy hardening requirements

• Windows 10, Windows 11, Windows Server 2016, 2019, 2022, or later – the Worklet supports both WORKSTATION and SERVER endpoint types

• Local administrator privileges (the Automox agent runs as SYSTEM by default, which satisfies this requirement)

• PowerShell 5.1 or later, with an execution policy that allows the Automox agent to run unsigned scripts (the agent context already meets this)

• net.exe and secedit.exe present at their default paths under C:\Windows\System32\ – both ship with every supported Windows SKU

• Write access to C:\Windows\Security\local.sdb and to the temporary C:\secpol.cfg path used during the export and re-import

• Override the pwhistory, maxpwagedays, minpwagedays, minpwlenchar, PasswordComplexity, or ClearTextPassword parameters in the Automox policy if your internal standard is stricter than CIS – the defaults map to the CIS Level 1 baseline

Expected local Account Policy state

After a successful run, net accounts reports a MinimumPasswordLength of 14, a MaximumPasswordAge of 30 days, a MinimumPasswordAge of 1 day, and a UniquePasswordHistory of 24. Opening the Local Security Policy snap-in (secpol.msc) and browsing to Security Settings → Account Policies → Password Policy shows "Password must meet complexity requirements" set to Enabled and "Store passwords using reversible encryption" set to Disabled. New local-account password changes are rejected with the platform message "Unable to update the password" until the user provides a 14-character credential containing characters from at least three of the four standard categories (uppercase, lowercase, digits, non-alphanumeric).

Validate manually by running net accounts in an elevated PowerShell session and confirming each field matches the values above. For an export-style proof, run secedit /export /cfg C:\Temp\verify.cfg and grep the file for PasswordComplexity = 1 and ClearTextPassword = 0 – the Worklet writes these same lines on every remediation pass. Capture the secedit export and the net accounts output alongside the policy run identifier for CIS Benchmark, PCI-DSS, HIPAA, or SOC 2 audit evidence. The settings persist across reboots and Windows feature updates; the next Automox evaluation reapplies them if any tool, script, or GPO refresh reverts them.