Jan 17 2019 06:54 PM - edited Jan 17 2019 06:56 PM
Hi, we have been having issues with Compliance and Configuration policies, and Device Compliance.
We initially had a password policy of minimum 12 characters, require 1 non-alphanumeric password, lock in 15 minutes....in both Compliance Policies and Configuration policies (they matched), applied to the same user groups.
Oddly, it was showing many devices (in the office, joined to local AD but connected to Intune and BYOD joined to Intune), as non-compliant even though they definitely met the requirements....so I thought that the policies were getting confused, so I removed the password requirement from the configuration policy, and left it only in the compliance policy.
It seemed to help 1-2 devices, but many still had issues! Oddly, some devices that users were logging into their PC with their local AD credentials (but joined to Intune), and their local AD passwords were less that 12 characters, were being marked as compliant!
Some BYOD devices who definitely meet the requirements, are being marked as non-compliant because "password is too short". So I thought maybe ALL accounts on the PC (local PC accounts, etc.) need to meet the requirements, so I changed the password to match the requirements above, but still no luck! (Side note...do all accounts on the PC have to meet the requirements?)
I changed the policy to 8 characters instead of 12, and now all of a sudden....many of the devices are now being marked as compliant!
This is very frustrating and support hasn't been of much help. Note that we are using Conditional Access and Trusted locations, if that helps (I am assuming that since the office PCs that are connected to local AD but connected to Intune, are inside trusted locations....it doesn't matter if it is compliant or not, it will be able to access resources?). MDM is also enabled to all users and MAM is turned off.
Any help on these issues would be great, thanks
Mar 06 2019 03:40 AM
In general terms, we have the same issue.
Passwords that are compliant are marked as non-compliant and an error in the configuration. So far I haven't found any solution.
@reditguy I've read that you may have issues with lowering security standards. So shortening the required Password lenght might have been an issue if the device is a Windows Phone.
Jan 28 2020 03:28 AM - edited Jan 28 2020 03:33 AM
@reditguy I had a similar issue with a BYOD and Intune. After speaking with Intune support, it transpires that Intune is currently unable to evaluate the password strength for Windows Live ID accounts if you login with those. The suggested work around is to create a local account and login with that, and link the WLID account.
Mar 03 2023 01:42 PM
May 16 2023 07:46 AM - edited May 17 2023 05:01 AM
Same here...I've got BYOD devices and users that are signed-in to MS Live ID and Intune can't correctly check password compliance.
Edit
I figured it out! EventViewer logs led me to checkout DeviceLock Policy CSP.
I went to MinDevicePasswordComplexCharacters CPS docs and what I found is:
Account Type | Supported Values | Actual Enforced Values |
Local Accounts | 1,2,3 | 3 |
Microsoft Accounts | 1,2 | <p2 |
Domain Accounts | Not supported | Not supported |
Where allowed values:
Value | Description |
1 (Default) | Digits only. |
2 | Digits and lowercase letters are required. |
3 | Digits lowercase letters and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. |
4 | Digits lowercase letters uppercase letters and special characters are required. Not supported in desktop. |
When I created a compliance policy with Password Complexity set to Require digits and lowercase letters, I was asked to update Windows Hello PIN to comply with this complexity and policy was evaluated successfully.