We are updating this page to reflect current guidance. The previous article "Why We’re Not Recommending “FIPS Mode” Anymore" that was referenced here is out of date and misleading to customers. That article has since been archived. This proposed update will direct customers to the updated https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation page for more information about FIPS mode.
Description:
As requested by Program Manager Robert Durff (MSRobertD) in issue
ticket #6856 (Bug: Password length value range is inaccurate.), the
upper value for the supported values for password length should be 20
instead of only 14, verified in preliminary field testing of the GPO
Password Policy, described on this page.
The actual upper limit may very well be higher, but 20 is a reasonable
value to be used for now, until someone documents the need for higher
accuracy in the documentation of this value for the GPO Password Policy.
Changes proposed:
- Replace 14 with 20 in both occurrences of 14 as the upper value
- Convert Note text in line 83 to a MarkDown Note blob (MS codestyle)
- Whitespace adjustments:
- Normalize bullet point list spacing to 1 (codestyle) (3 lines)
- Remove redundant end-of-line spacing (8 lines)
Ticket closure or reference:
Closes#6856
The description of the value at zero is incorrect.
I verified in the source of Winlogon that you never get a reminder when the value is 0, only when the password expires the same day or when it has expired already.
Per multiple cases with AAD Auth support, the PKU2U policy has to be enabled on the client as well. Proposing to update the mentioned Note and add "and the client"
> [!NOTE]
> KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client.
It is "Accounts that have the **Log on as a batch job** user right" instead of Accounts that have the **Deny log on as a batch job** user right. Else that does not make a lot of sense.
As per issue ticket #6441 (Supported windows versions are not valid),
this article incorrectly lists both deprecated and outdated OS
versions, both for Server and Client computers. The article itself
states that this policy was introduced in Windows 10, version 1703.
Thanks to yogeshasalkar for reporting this issue.
Changes proposed:
- Change the "Applies to" section to only Windows 10 and Server 2019
- Remove redundant end-of-line whitespace from 3 lines.
Ticket closure or reference:
Closes#6441
