Prevent Dial-up Passwords from Being Saved Using Intune HTML Blog

Key Points:

• Prevent users from saving dial-up connection passwords locally
• Helps Enforce restrictions across managed Windows devices
• Users must re-enter credentials each time they connect
• strengthens security but may slightly reduce comfort

Let’s discuss Preventing Saved Dial-up Passwords using Intune. The policy specifically targets LSA (Local Security Authority) and determine whether the Windows “Save Password” check box is available for certain dial-up and VPN connections.

List of contents

Prevent Dial-up Passwords from being Saved using Intune

Dial-up Passwords from being Stored is important for hardening the Windows operating system against credential theft. The core objective of this policy is to eliminates local cache of network credentials used for Dial-up and Virtual Private Network (VPN) connections.

Without this policy, if a user selects “Save Password,” credentials are encrypted and stored on the hard drive. If the device is lost or stolen, unauthorized persons could do so potentially boot laptop, click “Connect” on the saved one VPN Profileand get a direct tunnel into your corporate network without knowing the password.

Example Scenario

Imagine a salesperson working from the community Wi-Fi network at the airport. They use a Windows VPN (which uses dial-up logic) to access the company CRM. Enabling this policy will prevent the “Connect” button from working without a manual password entry, effectively stopping thieves at the perimeter.

How to Start Policy Making

As an Admin, you can quickly configure this policy in your organization. To start Policy Creation, go to Microsoft Intune Admin CenterR. Then go to Device > Configuration >+ Create > +New Policy.

Profile Creation

Profile creation is an important step that helps you assign policies to appropriate platforms and Profiles. Here I want to configure the policy to be Windows 10 and laterr platforms and settings catalogue profile. Then click on Make knob.

Filling in the Basic Tab

The name of the policy is main step which helps admin to identify policies later. This is an important and necessary step that allows you to know the purpose of the policy. This is his name must and description is optional. After adding this click on Next knob.

Configure Dial-up Password

With Settings Picker, you can use the Configuration Settings Tab. In this tab, you can click +Add Settings hyperlink to get the Settings Selector. The settings selector shows a large number of settings. Here, I want to select settings by browsing by Category. I choose System. Then, I choose Administrative Templates > MSS (Legacy) > MSS: (DisableSavePassword) Prevent dial-up passwords from being saved (recommended) setting.

Disable Dial-up Password

When this policy With disabilitiesWindows does not remove the user’s ability to check “Save Password” box in the connection dialog. This is default value of this policy.

Enable Dial-up Password

When this policy EnabledWindows removes the user’s ability to check “Save Password” in the connection dialog box. This forces users to enter their credentials manually every time they initiate a connection.

With scope tagYou create limitations on visibility Dial-up Password. This helps organize resources too. Here I want to skip this part because it is not mandatory. Click on Next knob.

Tasks Tab for Selecting Groups

To assign policies to specific groups, you can use Tasks Tab. Here I click, +Add group option under Included groups. I select a group from the group list and click Choose knob. Again, I click on Choose button to continue.

Review + Create Tab

Before completing policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click Make Knob. After creating the policy, you will get a success message.

Monitoring Status

That Monitoring Status the page shows whether the policy was successful or not. To quickly configure policies and take advantage of them, sync the assigned devices in the Enterprise Portal. Open the Intune Portal. Go to Devices > Configuration > Search Policies. Here, the policy is shown as succeed.

Event Viewer Details

Event Viewer helps you check client-side and verify policy status. Go to the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, open Application and Service Logs > Microsoft > Windows > Enterprise-Device Management-Diagnostics Provider > Admin.

Event Viewer Details
MDM Policy Manager: Set policy string, Policy: (Pol_MSS_DisableSave Password), Area: (ADMX_MSS-legacy), EnrollmentID requested merge: (EB427D85-802F-46D9-A3E2- D5B414587F63), Current User: (Device), String: (), Registration Type: (0x6), Scope: (0x0).

Delete an Assigned Group from Dial-up Password Settings

If you want to delete Assigned group from policy, can be from the Intune Portal. To do this, go to Policies in the Intune Portal and edit Tasks tab and Delete Policy.

To get more detailed information, you can refer to our previous post – Learn How to Delete or Unassign Apps from Intune using Step by Step Guide.

How to Remove Dial-up Password

You can easily delete Policies from Intun Portal. From Configuration section, you can delete the policy. This will remove it completely from the client device.

For more information, you can refer to our previous post – How to Remove Allow Clipboard History Policy in Intune Step by Step Guide.

Windows CSP details

This policy applies to Windows 102004 version with KB5005101 [10.0.19041.1202] and later, Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later, Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and then, window 11, version 21H2 [10.0.22000] and then.

Need More Help or Have a Technical Question?

JoinLinkedIn Page AndTelegram Groupto get step by step guides and news updates. Join usMeeting Pageto participate in User group meetings. Also, JoinWhatsApp Communityto get the latest news about Microsoft Technologies. We were thereredditas well.

Author

Anoop C Nairhas been a Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solutions Architect with over 22+ years of experience in the Workplace technology space. He is a leader of the Community of Bloggers, Speakers, and Local User Groups. The main focus is on Device Management technologies such as SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.