Minimum Password Length auditing and enforcement on certain versions of Windows

Applies to: Windows 10 Version 1607Windows Server 2016Windows 10, version 1809, all editions

Summary


Windows 10 updates released on August 18, 2020 adds support for the following:

  • Audit Events to identify whether applications and services support 15-character or longer passwords.
  • Enforcement of minimum password lengths of 15-character or more on Windows Server, version 2004 domain controllers (DCs).

Supported versions of Windows


Auditing of password lengths are supported on the following versions of Windows. Enforcement of minimum password lengths of 15-characters or more are supported in Windows Server, version 2004, and in later versions of Windows.

Windows version

KB

Support

Windows 10, version 2004
Windows Server version 2004

Included in the released version

Enforcement
Auditing

Windows 10, version 1909
Windows Server version 1909

KB4566116

Auditing

Windows 10, version 1903
Windows Server version 1903

KB4566116

Auditing

Windows 10, version 1809
Windows Server version 1809
Windows Server 2019

KB4571748

Auditing

Windows 10, version 1607
Windows Server 2016

Available in September 2020

Auditing

 

Suggested deployment

 

Domain Controllers

Administrative Workstations

Auditing: If only auditing password usage below a minimum value, then deploy as follows.

Deploy updates to all supported DCs where auditing is desired.

Deploy updates to supported administrative workstations for new Group Policy settings. Use these workstations to deploy updated Group Policies.

Enforcement: If minimum length password enforcement is desired, then deploy as follows.

Windows Server, version 2004 DCs. All DCs must be at this version or a later version. No additional updates are needed.

Use Windows 10, version 2004. The new Group Policy settings for enforcement is included in this version. Use these workstations to deploy updated Group Policies.

Deployment guidelines


To add support for Minimum Password Length auditing and enforcement, follow these steps:

  1. Deploy the update on all supported Windows versions on all Domain Controllers.
    1. Domain Controller: The updates, and later updates, enable support on all DCs to authenticate user or service accounts that are configured to use greater than 14-character passwords.
    2. Administrative workstation: Deploy the updates to administrative workstations to allow applying of the new Group Policy settings to DCs.
  2. Enable the MinimumPasswordLengthAudit Group Policy setting on a domain or forest where longer required passwords are desired. This policy setting should be enabled in the default domain controller’s policy linked to the domain controllers organizational unit (OU).
  3. We recommend leaving the auditing policy enabled for three to six months to detect all software that does not support passwords of greater than 14-characters.
  4. Monitor domains for Directory-Services-SAM 16978 events logged against software that managed passwords for three to six months. You do not have to monitor Directory-Services-SAM 16978 events logged against user accounts.
    1. If it is possible, configure the software to use a longer password length.
    2. Work with the software vendor to update the software to use longer passwords.
    3. Deploy a fine-grain password policy for this account by using a value that matches the password length used by the software.
    4. For software that manages account passwords but does not automatically use long passwords and cannot be configured to use long passwords, a fine-grain password policy can be used for these accounts.
  5. After all the Directory-Services-SAM 16978 events are addressed, enable a minimum password. To do this, follow these steps:
    1. Deploy a version of Windows Server that supports enforcement on all DCs (including Read-Only DCs).
    2. Enable the RelaxMinimumPasswordLengthLimits Group Policy on all DCs.
    3. Configure the MinimumPasswordLength Group Policy on all DCs.

 

Group Policy


Policy path and setting name, supported versions

Description

Policy path: Computer Configuration > Windows Settings > Security Settings > Account Policies -> Password Policy -> Minimum password length audit

Setting name: MinimumPasswordLengthAudit

Supported on:

  • Windows 10, version 1607
  • Windows Server 2016
  • Windows 10, version 1809
  • Windows Server, version 1809
  • Windows 10, version 1903
  • Windows Server, version 1903
  • Windows 10, version 1909
  • Windows Server, version 1909
  • Windows 10, version 2004
  • Windows Server, version 2004
  • and later versions

A restart is not required

Minimum password length audit

This security setting determines the minimum password length for which password length audit warning events are issued. This setting may be configured from 1 to 128.

You should only enable and configure this setting when you try to determine the potential effect of increasing the minimum password length setting in your environment.

If this setting is not defined, audit events will not be issued.

If this setting is defined and is less than or equal to the minimum password length setting, audit events will not be issued.

If this setting is defined and is greater than the minimum password length setting, and the length of a new account password is less than this setting, an audit event will be issued.

 

Policy path and setting name, supported versions

Description

Policy path: Computer Configuration > Windows Settings > Security Settings > Account Policies -> Password Policy -> Relax minimum password length limits

Setting name: RelaxMinimumPasswordLengthLimits

Supported on:

  • Windows 10, version 2004
  • Windows Server, version 2004
  • and later versions

A restart is not required

Relax minimum password length legacy limits

This setting controls whether the minimum password length setting can be increased beyond the legacy limit of 14.

If this setting is not defined, minimum password length may be configured to no more than 14.

If this setting is defined and disabled, minimum password length may be configured to no more than 14.

If this setting is defined and enabled, minimum password length may be configured more than 14.

For more information, see https://go.microsoft.com/fwlink/?LinkId=2097191.

 

Policy path and setting name, supported versions

Description

Policy path: Computer Configuration > Windows Settings > Security Settings > Account Policies -> Password Policy -> Minimum password length

Setting name: MinimumPasswordLength

Supported on:

  • Windows 10, version 2004
  • Windows Server, version 2004
  • and later versions

A restart is not required

This security setting determines the least number of characters that a password for a user account may contain.

The maximum value for this setting depends on the value of the Relax minimum password length limits setting.

If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14.

If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14.

If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128.

Setting the required number of characters to 0 means that no password is required.

Note By default, member computers follow the configuration of their domain controllers.

Default values:

  • 7 on domain controllers
  • 0 on stand-alone servers

Configuring this setting larger than 14 may affect compatibility with clients, services, and applications. We recommend that you only configure this setting larger than 14 after you use the Minimum password length audit setting to test for potential incompatibilities at the new setting.

Windows event log messages


Three new Event ID log messages are included as part of this added support.

Event ID 16977

Event ID 16977 will be logged when MinimumPasswordLengthRelaxMinimumPasswordLengthLimits, or MinimumPasswordLengthAudit policy settings are initially configured or modified in Group Policy. This event will only be logged on DCs. The RelaxMinimumPasswordLengthLimits value will only be logged in Windows Server, Version 2004, and later version DCs.

Event log

System

Event source

Directory-Services-SAM

Event ID

16977

Level

Information

Event message text

The domain is configured by using the following minimum password length-related settings.

MinimumPasswordLength:
RelaxMinimumPasswordLengthLimits:
MinimumPasswordLengthAudit:

For more information, see https://go.microsoft.com/fwlink/?LinkId=2097191.

 

Event ID 16978

Event ID 16978 will be logged when an account password is changed and the password is shorter than the current MinimumPasswordLengthAudit setting.

Event log

System

Event source

Directory-Services-SAM

Event ID

16978

Level

Information

Event message text

The following account is configured to use a password whose length is shorter than the current MinimumPasswordLengthAudit setting.

AccountName:
MinimumPasswordLength:
MinimumPasswordLengthAudit:

For more information, see https://go.microsoft.com/fwlink/?LinkId=2097191.

 

Event ID 16979 Enforcement

Event ID 16979 will be logged when the auditing Group Policy settings are misconfigured. This event will only be logged on DCs. The RelaxMinimumPasswordLengthLimits value will only be logged in Windows Server, Version 2004 and later version DCs. This is for enforcment.

Event log

System

Event source

Directory-Services-SAM

Event ID

16979

Level

Error

Event message text

The domain is incorrectly configured with a MinimumPasswordLength setting that is greater than 14 while RelaxMinimumPasswordLengthLimits is either undefined or disabled.

Note Until this is corrected, the domain will enforce a smaller MinimumPasswordLength setting of 14.
Currently configured MinimumPasswordLength value:

For more information, see https://go.microsoft.com/fwlink/?LinkId=2097191.


Event ID 16979 Auditing

Event ID 16979 will be logged when the auditing Group Policy settings are misconfigured. This event will only be logged on DCs. One new event log message is included for Auditing as part of this added support.

Event log

System

Event source

Directory-Services-SAM

Event ID

16979

Level

Error

Event message text

The domain is incorrectly configured with a MinimumPasswordLength setting that is greater than 14.

Note Until this is corrected, the domain will enforce a smaller MinimumPasswordLength setting of 14.

Currently configured MinimumPasswordLength value:

For more information, see https://go.microsoft.com/fwlink/?LinkId=2097191.

Guidance for software password change


Use the maximum password length when setting a password in software.

History


Although the overall Microsoft security strategy is firmly focused on a password-less future, many customers cannot migrate away from passwords for the short-to-medium term. Some security-conscious customers want to be able to configure a default domain minimum password length setting that is greater than 14 characters (for example, customers might do this after educating their users to use longer passphrases instead of the traditional short, single token passwords). In support of this request, Windows Updates in April 2018 for Windows Server 2016 enabled a Group Policy change that increased the minimum password length from 14 to 20 characters. While this change appeared to support longer password, it was ultimately insufficient and rejected the new value when the Group Policy was applied. These rejections were silent and required detailed testing to determine that the system was not supporting longer passwords. A follow-up update to the Security Account Manager (SAM) layer was included for both Windows Server 2016 and Windows Server 2019 in order to enable the system to correctly work end-to-end with a minimum password length greater than 14-characters. A follow-up update to the Security Account Manager (SAM) layer was included for both Windows Server 2016 and Windows Server 2019 in order to enable the system to correctly work end-to-end with a minimum password length greater than 14-characters.

The MinimumPasswordLength policy setting has had an allowable range from 0 to 14 for a very long time (many decades) on all Microsoft platforms. This setting applies to both local Windows security settings and Active Directory (and NT4 domains before that). A value of zero (0) implies that no password is required for any account.

In earlier versions of Windows, the Group Policy UI did not enable setting minimum required password lengths longer than 14-characters. However, in April 2018, we released the Windows 10 updates that added support for greater than 14-characters in the Group Policy UI as part of updates such as:

  • KB 4093120: April 17, 2018—KB4093120 (OS Build 14393.2214)

This update included the following release note text:

"Increases the minimum password length in Group Policy to 20 characters."

Some customers who installed the April 2018 releases, and superseding updates, found that they still could not use greater than 14-character passwords. Investigation identified that additional updates needed to be installed on DC role computers servicing the greater than 14-character passwords that were defined in the password policy. The following updates enabled Windows Server 2016, Windows 10, version 1607, and the initial release of Windows 10 domain controllers to service logons and authentication requests with greater than 14-character passwords:

  • KB 4467684: November 27, 2018—KB4467684 (OS Build 14393.2639)

This update included the following release note text:

"​Addresses an issue that prevents domain controllers from applying the Group Policy password policy when the minimum password length is configured to be greater than 14-characters."

  • KB 4471327: December 11, 2018—KB4471321 (OS Build 14393.2665)

Some customers defined greater than 14-character passwords in policy after installing the April 2018 through the October 2018 updates which essentially remained dormant until November 2018 and December 2018 updates or a native OS enabled domain controllers to service greater than 14-character passwords in policy, thereby removing the time / causation link between feature enablement and policy application. Whether you installed Group Policy and domain controller updates at the same time or not, you might see the following side effects:

  • Exposed issues with applications that are currently incompatible with greater than 14-character passwords.
  • Exposed issues when domains that consists of a mix of the release version of Windows Server 2019 or updated 2016 DCs that support greater than 14-character passwords and pre-Windows Server 2016 DCs that do not support greater than 14-character passwords (until backports exist and are installed for Windows Server 2016).
  • After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.

    The guidance for this known issue was to set the domain default "Minimum Password Length" policy to less than or equal to 14 characters. We are working on a resolution and will provide an update in an upcoming release.

Because of the earlier issues, the DC side support for greater than 14-character passwords was removed in the January 2019 updates so that the feature cannot be used.