Passcode
The Passcode settings enforce the use of a secure passcode to unlock a Windows device. The policy is used to enforce passcode restrictions to local device password on Windows desktops and laptops, and device passcode restrictions on Windows phones. Use this setting with the Windows Hello for Business setting for enhanced security on Windows devices.
The following table describes the passcode settings that you can configure for a Windows device.
| Policy setting | Description | Supported devices |
|---|---|---|
| Configure passcode policy | Select the option to configure passcode settings on phones and to set password configuration for local accounts on desktops and laptops. |
|
| Minimum passcode length (4 - 16 characters) | The minimum number of characters that are needed for a passcode. The range is 4 - 16 characters. |
|
| Allow simple passcode | Simple passcode such as passcode values with ascending, descending, or repeating character sequences are allowed. For example, 1111, 1234 values. |
|
| Passcode quality | Select from the following options to set passcode quality:
|
|
| Minimum number of character sets: Configure minimum character sets
that are allowed for an alphanumeric password between zero to four numbers of character set values.
The allowed character sets are lowercase letters, uppercase letters, symbols, and numbers. Note: The
minimum default number of the character set for any passcode policy for desktop or tablet devices is
3.
|
|
|
| Allowed idle time (in minutes) before auto-lock (1-999, or blank) | The amount of time the device remains inactive before the device is locked automatically. The allowed values are 1 - 999 minutes or no value. |
|
| Maximum passcode age (1-730 days, or blank) | The number of days that can pass before a passcode must be changed. The range is 1 - 730
days. If you leave this field blank, the passcode never expires. |
|
| Number of unique passcode required before reuse allowed (1-50 or blank) | Represents the count for number of times a unique passcode is allowed before you can reuse an old passcode. The allowed number of unique passcodes is 1-50. If you leave this field blank, you can reuse a passcode that you previously used on the device. |
|
| Number of unsuccessful passcode attempts before a device enters BitLocker Recovery Mode (Blank or Range: 1-999) | The prerequisite to enforce this setting is that BitLocker Encryption must be enabled on the device. If enabled, this value defines the number of unsuccessful password attempts before the device reboots and requires BitLocker Recovery Key to unlock the account. |
|
| Allow idle return without passcode | If this setting is not enabled, the user is prompted for a password every time the device returns from an idle state. |
|
| Allow screen timeout configuration on lock screen | If cleared, it allows a user-configurable setting on the device to control screen timeout on the lock screen. | Windows Phone 10+ |
| Screen timeout duration on lock screen | Specifies the time duration (in seconds) for screen timeout while on the lock screen. Allowed values are 10 - 1800 seconds. If the screen timeout duration field is left blank, then the device does not time out in the lock screen mode. | Windows Phone 10+ |