The Secureframe Agent password policy check verifies that devices enforce a minimum 8-character password with complexity requirements. Results update after the agent syncs with Secureframe, typically within a few hours of changing your settings.
Use the steps below to enable password policy requirements on Windows, Mac, or Linux.
Windows
The following requirements must be enforced to pass this check:
Minimum password length: 8 characters
Password must meet complexity requirements: Enabled
"gpedit.msc" or "secpol.msc" must be installed in order to set a password policy
These come installed on Windows 10/11 Pro
If you are on Windows 10/11 Home, this is how to download and install "gpedit.msc":
Right-click it and select "Run as Administrator"
Wait up to 10 minutes for the script to download and install "gpedit.msc"
Follow the instructions for "Group Policy method"
The requirements can be set via Group Policy or Local Security Policy.
Open the Run program and enter "gpedit.msc"
Go to "Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy"
Set "Minimum password length" to 8
Set "Password must meet complexity requirements" to "Enabled"
Open the Run program and enter "secpol.msc"
Go to Security Settings -> Account Policies -> Password Policy
Set "Minimum password length" to 8
Set "Password must meet complexity requirements" to "Enabled"
If not all your Windows devices come with these programs or it would be too time-consuming to edit these settings on each device, we recommend instead using an MDM to enforce these settings. See Supported MDMs and Their Endpoint Security Capabilities.
Mac
You will need to create a device profile with requireAlphanumeric set to true and minLength >= 8.
An MDM such as Kolide or Jamf Pro can also create and enforce a password & screen lock policy.
If not using an MDM, you can install this profile we've created for everyone to use, or you can use the resources below to create your own device profile.
This profile will also enforce the required screen lock settings.
To install, open the downloaded file and System Settings will automatically open to Device Management, where you can review and install the profile. Note that on macOS 15, profiles are now managed under Device Management.
Profile resources:
Linux
The Password Policy check will not pass until you have both updated the password requirements and changed your password to comply with these requirements. These instructions were taken in part from this article.
The Password Policy check requires:
Minimum password length of at least eight characters.
The classes of characters are digits, upper letters, lower letters, and special characters.
Minimum class of at least three for each password, meaning that multiple classes must be represented in the password.
Install the augeas-lenses library and PAM module by running the following commands in your terminal:
sudo apt install augeas-lenses
sudo apt install libpam-pwquality
Some Linux distributions may already have these libraries installed. See here for more technical information about the PAM module.
Open the
/etc/pam.d/common-passwordfile.Find the line that includes
pam_pwquality.so.Add
minlen=8 minclass=3to the end of that line. An example would look something like this:
password requisite pam_pwquality.so retry=3 minlen=8 minclass=3
If your Linux device is not checking in after restarting, please refer to this article.
Verify it worked
After applying the settings above, confirm the policy is in place on your device before waiting for the Secureframe Agent to sync.
Windows
Open the Run program and enter
secpol.msc.Go to Security Settings > Account Policies > Password Policy.
Confirm Minimum password length is 8 and Password must meet complexity requirements is Enabled.
Alternatively, open Command Prompt and run gpresult /r. Review the Computer Settings section for the password policy values applied to your device.
Mac
Open System Settings > Privacy & Security > Device Management (on older macOS versions, this may appear as Profiles).
Confirm the Secureframe password and screen lock profile is listed and shows as installed.
If you created your own profile, confirm it includes
requireAlphanumericset totrueandminLengthof at least 8.
Linux
Open
/etc/pam.d/common-passwordand confirm thepam_pwquality.soline includesminlen=8 minclass=3.Run
passwdand set a new password that meets the requirements (at least 8 characters with three character classes).The check will not pass until both the PAM configuration is updated and your password has been changed to comply.
Still failing?
If your device settings look correct but the password policy check still does not pass after the agent syncs, try the steps below.
Outdated Secureframe Agent package
Devices enrolled with an outdated Secureframe Agent package may not report password policy data correctly and may never pass this check, even after settings are updated.
Important: You must fully uninstall the existing Secureframe Agent before installing a new package. Installing over an old version can prevent the check from updating.
Uninstall the Secureframe Agent from your device. See Unenrolling & Uninstall Secureframe Agent for OS-specific steps.
Log into Secureframe and download a fresh agent package from the Employee Onboarding page.
Install the new package and wait for the device to sync in Asset Inventory.
If the check still fails, contact [email protected] with your device name and operating system.
Windows Home limitations
Windows 10/11 Home does not include Group Policy Editor or Local Security Policy by default. The batch script workaround installs these tools but may fail on some devices (see Troubleshooting below).
If you cannot enable password policy on Windows Home, consider:
Upgrading to Windows Pro, if licensing allows.
Using an MDM to enforce password policy across your fleet. See Supported MDMs and Their Endpoint Security Capabilities for options that support password enforcement.
Uploading manual evidence for the password policy test if the agent cannot verify settings on that device.
Troubleshooting
Error 0x8007371b / DISM Error 14107 During Password Policy Installation
Sometimes, when attempting to enable password complexity and length policies—especially on Windows Home edition using the InstallGroupPolicyEditor.bat script—the following DISM error may appear: Error: 14107 0x8007371b – One or more required members of the transaction are not present.
Possible Causes & Fixes:
Antivirus interference (e.g., AVG) may block Secureframe scripts.
Fix: Temporarily disable antivirus, rerun the policy installation, then re-enable.Windows Home limitations — lacks native Group Policy tools.
Fix: Confirm your version and edition.Option 1: Press
Windows + R, runwinver.Option 2: Go to Settings > System > About and check the Windows specifications section.
Corrupted system files or update components.
Fix (Run in elevated Command Prompt):sfc /scannow DISM /Online /Cleanup-Image /RestoreHealthThen restart and retry installation.
Pending or failed Windows updates.
Fix: Ensure your device is fully updated via Settings > Windows Update.Log collection for support escalation.
DISM log:
C:\Windows\Logs\DISM\dism.logSecureframe Agent logs: Share with the support team if issue persists.
If the problem continues, please open a support request with logs and system details.