Home

Intune password issues with policies

%3CLINGO-SUB%20id%3D%22lingo-sub-320838%22%20slang%3D%22en-US%22%3EIntune%20password%20issues%20with%20policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-320838%22%20slang%3D%22en-US%22%3E%3CP%3EI%20posted%20this%20previously%20but%20it%20was%20marked%20as%20s.pam%20as%20some%20reason%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20we%20have%20been%20having%20issues%20with%20Compliance%20and%20Configuration%20policies%2C%20and%20Device%20Compliance.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20initially%20had%20a%20password%20policy%20of%20minimum%2012%20characters%2C%20require%201%20non-alphanumeric%20password%2C%20lock%20in%2015%20minutes....in%20both%20Compliance%20Policies%20and%20Configuration%20policies%20(they%20matched)%2C%20applied%20to%20the%20same%20user%20groups.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOddly%2C%20it%20was%20showing%20many%20devices%20(in%20the%20office%2C%20joined%20to%20local%20AD%20but%20connected%20to%20Intune%20and%20BYOD%20joined%20to%20Intune)%2C%20as%20non-compliant%20even%20though%20they%20definitely%20met%20the%20requirements....so%20I%20thought%20that%20the%20policies%20were%20getting%20confused%2C%20so%20I%20removed%20the%20password%20requirement%26nbsp%3B%20from%20the%20configuration%20policy%2C%20and%20left%20it%20only%20in%20the%20compliance%20policy.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seemed%20to%20help%201-2%20devices%2C%20but%20many%20still%20had%20issues!%26nbsp%3B%20Oddly%2C%20some%20devices%20that%20users%20were%20logging%20into%20their%20PC%20with%20their%20local%20AD%20credentials%20(but%20joined%20to%20Intune)%2C%20and%20their%20local%20AD%20passwords%20were%20less%20that%2012%20characters%2C%20were%20being%20marked%20as%20compliant!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20BYOD%20devices%20who%20definitely%20meet%20the%20requirements%2C%20are%20being%20marked%20as%20non-compliant%20because%20%22password%20is%20too%20short%22.%26nbsp%3B%20So%20I%20thought%20maybe%20ALL%20accounts%20on%20the%20PC%20(local%20PC%20accounts%2C%20etc.)%26nbsp%3B%20need%20to%20meet%20the%20requirements%2C%20so%20I%20changed%20the%20password%20to%20match%20the%20requirements%20above%2C%20but%20still%20no%20luck!%20(Side%20note...do%20all%20accounts%20on%20the%20PC%20have%20to%20meet%20the%20requirements%3F)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20changed%20the%20policy%20to%208%20characters%20instead%20of%2012%2C%20and%20now%20all%26nbsp%3B%20of%20a%20sudden....many%20of%20the%20devices%20are%20now%20being%20marked%20as%20compliant!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20very%20frustrating%20and%20support%20hasn't%26nbsp%3B%20been%20of%20much%20help.%26nbsp%3B%20Note%20that%20we%20are%20using%20Conditional%20Access%20and%20Trusted%20locations%2C%20if%20that%20helps%20(I%20am%20assuming%20that%20since%20the%20office%20PCs%20that%20are%20connected%20to%20local%20AD%20but%20connected%20to%20Intune%2C%20are%20inside%20trusted%20locations....it%20doesn't%20matter%20if%20it%20is%20compliant%20or%20not%2C%20it%20will%20be%20able%20to%20access%20resources%3F).%26nbsp%3B%20MDM%20is%20also%20enabled%20to%20all%20users%20and%20MAM%20is%20turned%20off.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20on%20these%20issues%20would%20be%20great%2C%20thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-320838%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-362721%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20password%20issues%20with%20policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-362721%22%20slang%3D%22en-US%22%3ESame%20basic%20problem%20here.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-964906%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20password%20issues%20with%20policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-964906%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F265925%22%20target%3D%22_blank%22%3E%40reditguy%3C%2FA%3ESeeing%20a%20similar%20issue.%20Very%20frustrating%20this%20is%20still%20not%20made%20clear.%3C%2FP%3E%3C%2FLINGO-BODY%3E
reditguy
Contributor

I posted this previously but it was marked as s.pam as some reason

 

Hi, we have been having issues with Compliance and Configuration policies, and Device Compliance. 

 

We initially had a password policy of minimum 12 characters, require 1 non-alphanumeric password, lock in 15 minutes....in both Compliance Policies and Configuration policies (they matched), applied to the same user groups.  

 

Oddly, it was showing many devices (in the office, joined to local AD but connected to Intune and BYOD joined to Intune), as non-compliant even though they definitely met the requirements....so I thought that the policies were getting confused, so I removed the password requirement  from the configuration policy, and left it only in the compliance policy.  

 

It seemed to help 1-2 devices, but many still had issues!  Oddly, some devices that users were logging into their PC with their local AD credentials (but joined to Intune), and their local AD passwords were less that 12 characters, were being marked as compliant!

 

Some BYOD devices who definitely meet the requirements, are being marked as non-compliant because "password is too short".  So I thought maybe ALL accounts on the PC (local PC accounts, etc.)  need to meet the requirements, so I changed the password to match the requirements above, but still no luck! (Side note...do all accounts on the PC have to meet the requirements?)

 

I changed the policy to 8 characters instead of 12, and now all  of a sudden....many of the devices are now being marked as compliant!

 

This is very frustrating and support hasn't  been of much help.  Note that we are using Conditional Access and Trusted locations, if that helps (I am assuming that since the office PCs that are connected to local AD but connected to Intune, are inside trusted locations....it doesn't matter if it is compliant or not, it will be able to access resources?).  MDM is also enabled to all users and MAM is turned off.

 

Any help on these issues would be great, thanks

2 Replies
Same basic problem here.

@reditguySeeing a similar issue. Very frustrating this is still not made clear.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies