Don't Get Sneaked: Enforcing a Password Prompt on Wake-Up with Intune for Better Security : header

How to Implement Password Policies: Protect Windows Devices from Unauthorized Access

Hey everyone! Let’s talk about a simple security setting that makes a huge difference: forcing Windows to ask for a password every time a device wakes up from sleep.

If you manage corporate devices, this isn’t just a convenience—it’s a requirement for basic protection. We’re going to show you exactly how to roll out this security blanket across all your managed devices using Microsoft Intune.

The Security Hole You Need to Close

Think about how many times a laptop is left unattended—maybe you step away for coffee, a quick meeting, or just a bathroom break.

Before This Policy: The Risk

If the Password on Wake setting is disabled, the moment the screen turns on (from a keypress or mouse movement), the desktop is instantly accessible.

  • Who can access it? Anyone near the device: a colleague, a visitor, or someone in a public space.
  • The Damage: They can immediately see files, emails, and sensitive applications without entering a single password. This is a massive security risk and a data privacy nightmare.

After This Policy: The Protection

When you enable this policy, the device will always display the lock screen and require a password (or PIN/biometric authentication) to unlock it.

  • The Benefit: Unauthorized users are stopped cold. Even if you step away for just 30 seconds, your sensitive work is protected. This is simple, automatic security that strengthens your entire device fleet.

Advantages of Enabling “Password Prompt on Wake”

This simple setting delivers big security wins, especially in a corporate environment:

  • Stops Unauthorized Access: The device stays locked whenever it wakes up from sleep mode.
  • Protects Data: Sensitive files, applications, and customer data remain secure.
  • Easy, Automatic Security: No extra action is required from the end-user—it just works.
  • Compliance: Helps meet security requirements by ensuring consistent protection across all devices.

Intune Walkthrough: Deploying the Policy

We’ll use the Settings Catalog in the Intune Admin Center to configure this setting for Windows 10 and later.

1. Create the Policy Profile

  1. Open the Intune admin center.
  2. Navigate to Devices > Configuration > Policies > + Create > + New policy.
  3. Select the details for the profile creation:
SettingSelection
PlatformWindows 10 and later
Profile TypeSettings Catalog
Implementing Password Policies: Protect Windows Devices from Unauthorized Access :Pic 1
Implementing Password Policies: Protect Windows Devices from Unauthorized Access :Pic 1

2. Basic Information

On the Basics tab:

  1. Give the policy a clear, mandatory Name, such as: Security - Require Password on Wake (On Battery)
  2. Add an optional Description (e.g., Enforces device lock when waking from sleep mode to enhance data security.).
  3. Click Next.

3. Add the Configuration Setting

  1. Go to the Configuration settings tab and click the + Add Settings hyperlink.
  2. In the Settings Picker, you need to navigate to the correct section:
    • Administrative Templates > System > Power Management > Sleep Settings
  3. Select the setting: Require a password when a computer wakes (on battery).
  4. Close the Settings Picker.

4. Enable the Policy

Once the setting is on the configuration page, you must Enable it to enforce the password prompt.

  1. Toggle the switch for Require a password when a computer wakes (on battery) to Enabled.
  2. Click Next.
Implementing Password Policies: Protect Windows Devices from Unauthorized Access :Pic 2
Implementing Password Policies: Protect Windows Devices from Unauthorized Access :Pic 2

5. Scope Tags and Assignments

  1. Scope Tags: If your organization uses tags to control administrator visibility, add the relevant Scope Tags. If not, skip this step. Click Next.
  2. Assignments: This is critical. Under Include Groups, click Add Groups and select the users or devices you want to target (e.g., your “All Employees” device group). Click Next.

6. Review and Create

  1. On the Review + Create step, quickly check the summary to ensure the name, description, and key setting are correct.
  2. Click Create to finalize the policy.

Monitoring and Management

Checking Status

Policy deployment usually takes a short time, but it can take up to 8 hours. To check the status immediately:

  1. Go to Devices > Configuration in the Intune Portal and click on the policy name.
  2. You can ask users to perform a manual sync via the Company Portal app to speed up the process.

Removing Groups from the Policy

If you need to lift the restriction for a specific group (e.g., a test environment):

  1. Open the policy and click Edit on the Assignments tab.
  2. Select the group you want to exclude and click the Remove button.
  3. Click Review + Save.

Deleting the Policy

To permanently delete the policy from Intune:

  1. Navigate to Devices > Configuration.
  2. Click the three dots next to the policy name.
  3. Select the Delete option. This will remove the setting from all assigned devices.

Related Posts