Forum Discussion
Password Complexity Error 2016281112(Remediation failed)
Hello,
I've been having an issue with Intune device compliance. The main issue stems from the fact that the devices have a Microsoft account as the device profile, this means that users use their Microsoft password to log in to their devices. However, when setting password restrictions in Intune, it appears to only affect the device password (that isn't being used) instead of the Microsoft password.
On its own this would be fine, however, I have been getting the error mentioned above: 2016281112 (remediation failed) on the "password complexity" setting in the device compliance policy. This doesn't make any sense to me as I have edited all of the settings related to passwords so they shouldn't be required at all. Unfortunately, due to the Microsoft account link I mentioned earlier, users cannot change their device passwords without being un-enrolled from Intune so it is very difficult to determine the cause of the issue, or work around it.
Can anyone help me resolve this error please?
13 Replies
- Any updates on this by any chance?
I was struggling with this too until my colleague very carefully read the tooltip on that setting, paying attention to the commas. What this setting affects is the PIN. If you put "alphanumeric" for PW type, the compliance policy will require a password, AND an alphanumeric PIN. Each setting requires a password actually, so the only difference is what style of PIN is required.
If you want a numeric only PIN, or if you do device default (which gives the option of an alphanumeric PIN but doesn't require it) - either way the Password Complexity switch disappears. The PW complexity setting is only relevant when the password type is set to alphanumeric, which forces the PIN to be alphanumeric.
My guess is that if you queried a few noncompliant users, you'd find that they are using numeric PINs, therefore they are noncompliant, regardless of what's going on with the PW.Also confirmed here: https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-windows
In our case, 6-digit PINs are working fine. There is only one user with local administrator rights on the computer, but the user is signing in using their work email with the 6-digit PIN. The work email is also part of the Local Administrators group, as the user is a developer and requires administrator rights to run several applications like NVM. We are encountering this error only on this specific device.
This link may help to resolve the issue:
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-protection/error-deploying-password-policy- On the Windows MDM desktop platform, the user must press CTRL+ALT+DEL and select Change Password, and then the new password rules will be enforced.
Even set to Device Default, we get the complexity errorJesseVaught
DarrenH1580 Just fixed our issue... Turns out when we originally hired an outside source to help set up our Intune compliance policys, they set up a Windows compliance policy and applied it to several User groups. After I created a new test compliance policy (for Windows devices only) using the same configuration details but applying it to a test Device group only, all test devices showed as compliant.
- Did anyone ever get a solution for this?
I am in a similar solution. Resetting the password did not remove the error. - Hello folks,
I am too a wanderer of the wide web and I also encountered this issue.
As Lucas_Ayre workaround might be a temporary one-time solution I was thinking the following.
Why would we have a password policy if the service is not used ?
I understand that you would have a LAPS or defined Local Admin account but user wise they are using AAD accounts so this policy is not required I believe.
As long as the Local Admin are correctly managed and user AAD are setup with Windows Hello and Conditional access, I think we are good on the security side ? Having the same issue here, on probably hundreds of end points.
Our devices are set up the same way as Lucas_Ayre described (authentication uses MS account, not device password). Although, we do have Windows Hello enabled, which also requires the user to set up a pin. Could this be related?
- Hi, MattR345
I actually found a crude way of fixing this, by going to the individual computer and going to the Local Security Policy settings (win+r "secpol.msc") > account policies > password policy and changing password must meet complexity requirements to "Enabled". However I don't fully understand how this is working as my Intune settings shouldn't require it at all, also this wouldn't be a good solution for 100+ endpoints, so I'm not claiming its a proper solution.- I am still getting the error even after this fix. I'm pretty stumped. The password reset did not work and this solution hasn't worked. Back to the drawing board unfortunately. Thanks for your help!
