Enforce a Passcode profile to protect devices with passcodes each time they return from an idle state. A passcode ensures that all sensitive corporate information on managed devices remains protected.

Passcodes set using this payload only take effect if the passcode is stricter than existing passcodes. For example, if the existing Microsoft Account passcode requires stricter settings than the Passcode payload requirements, the device continues to use the Microsoft Account passcode.

Important:

The Passcode payload does not apply to domain-joined devices.

To configure a Passcode profile:

  1. Navigate to Devices > Profiles > List View > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.
  3. Select Device Profile.
  4. Configure the profile General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  5. Select the Passcode profile.
  6. Configure the Passcode settings:
    Settings Descriptions
    Password Complexity

    Set to Simple or Complex to your preferred level of password difficulty.

    Require Alphanumeric Enable to require the passcode to be an alphanumeric passcode.
    Minimum Password Length Enter the minimum number of characters a Password must contain.
    Maximum Password Age (days) Enter the maximum number of days that may elapse before the end user is required to change the Password.
    Minimum Password Age (days) Enter the minimum number of days that must elapse before the end user is required to change the Password.
    Device Lock Timeout (in Minutes) Enter the number of minutes before the device automatically locks and requires a passcode re-entry.
    Maximum Number of Failed Attempts Enter the maximum number of attempts the end user may enter before the device is restarted.
    Password History (occurrences)

    Enter the number of occurrences a password is remembered.

    If the end user reuses a password within the number of recorded occurrences, they cannot reuse that password.

    For example, if you set the history to 12, an end user cannot reuse the past 12 passwords.

    Reversible Encryption for Password Storage

    Enable to set the operating system to store passwords using reversible encryption.

    Storing passwords using reversible encryption is essentially the same as storing plain text versions of the passwords.

    For this reason, do not enable this policy unless application requirements outweigh the need to protect password information.

    Use Protection Agent for Windows 10 Devices Enable to use the AirWatch Protection Agent to enforce Password profile settings instead of the native DM functionality. Enable this settings if you have issues using the native DM functionality.
    Windows 8.0 Password Policy

    Enable to use the legacy Windows 8.0 Password Policy.

    See Windows 8.0 Password Policy.

    Expire Password

    Enable to expire the existing password on the device and require a new password to be created.

    Requires AirWatch Protection Agent to be installed on the device.

  1. Select Save & Publish when you are finished to push the profile to your devices.

Windows 8.0 Password Policy

If you enable the Windows 8.0 Password Policy, configure the following settings.

Note:

Consider upgrading your Windows Desktop devices to Windows 8.1. It is a free upgrade that allows for more MDM capabilities.

Settings Descriptions
Allow Simple Value

Enable to allow end users to use simple passcodes.

Disable to force passcodes to meet complexity settings.

Require Alpha Numeric Value Enable to require the end user to create a passcode using minimum length and minimum number of complex characters.
Minimum Number of Complex Characters Enter the minimum number of complex characters (lowercase, uppercase, symbols, and numbers) required for a passcode.
Minimum Password Length Enter the number of characters a passcode must contain as a minimum.
Maximum Passcode Age (days) Enter the number of days that may elapse before the end user is required to change the passcode.
Maximum Number of Failed Attempts Enter the maximum number of attempts the end user may enter before the device is restarted.
Device Lock Timeout (in Minutes) Enter the number of minutes before the device automatically locks and requires a passcode re-entry.
Passcode History

Enter the number of occurrences a password is remembered.

If the end user reuses a password within the number of recorded occurrences, the user cannot reuse that password. For example, if you set the history to 12, an end user cannot reuse the past 12 passwords.