Minimum Password Length Audit for Windows Server 2022

Hello BigFix Community,

I am looking for guidance on auditing the minimum password length audit policy for Windows Server 2022 using BigFix. Specifically, I want to know:

  1. Is there an inspector or property available in BigFix that can query this setting?

Sure, we have that.

q: minimum password length of security database
A: 8
T: 1.606 ms
I: singular integer

q: exists minimum password lengths whose (it >= 8) of security databases
A: True
T: 1.363 ms
I: singular boolean

Hope this helps, let us know if you need some more help with it.

edit: Ooops, now I see that it’s something else entirely. I’ll have to look into that. I’ll need to build a new VM to check it out.

1 Like

After a bit of sleuthing, I find this is exposed in the Registry, but because it is in HKLM\SAM, it can only be read by LocalSystem. So this works in a Fixlet/Analysis; but in the Fixlet Debugger, it must be configured to Evaluate → Evaluate Using → Local Client

Q: values "MinimumPasswordLengthAudit" of keys "HKLM\System\CurrentControlSet\Control\SAM" of native registry as integer
A: 14

Q: exists values "MinimumPasswordLengthAudit" whose (it as integer >= 14) of keys "HKLM\System\CurrentControlSet\Control\SAM" of native registry
A: True
2 Likes