Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Intune Password Policy Precedence

%3CLINGO-SUB%20id%3D%22lingo-sub-2658958%22%20slang%3D%22en-US%22%3EIntune%20Password%20Policy%20Precedence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2658958%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHaving%20difficulty%20trying%20to%20figure%20out%20the%20following%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20created%20a%20password%20policy%20on%20Intune%20for%20my%20MDM%20device%20(windows%2010%20pro)%3C%2FP%3E%3CP%3EHowever%2C%20i%20notice%20that%20the%20more%20restrictive%20policies%20always%20take%20precedence.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%3C%2FP%3E%3CP%3ELocal%20machine%20has%20policy%20to%20expire%20user%20password%20every%205%20days.%3C%2FP%3E%3CP%3EOn%20Intune%20the%20policy%20for%20password%20expiration%20is%20set%20to%2010%20days.%3C%2FP%3E%3CP%3ELocal%20machine%20password%20expiration%20policy%20will%20take%20effect.%26nbsp%3B%3C%2FP%3E%3CP%3ELikewise%20for%20option%20such%20as%20password%20length.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20like%20to%20ask%20if%3C%2FP%3E%3CP%3Ei)%20is%20that%20the%20expected%20behavior%3F%3C%2FP%3E%3CP%3Eii)%20is%20there%20anyway%20to%20force%20intune%20created%20policies%20onto%20the%20local%20device%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3CP%3EJimmy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2658958%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Epassword%20policy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2936974%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20Password%20Policy%20Precedence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2936974%22%20slang%3D%22en-US%22%3EThe%20password%20policy%20only%20applies%20to%20local%20user%20accounts%2C%20not%20Azure%20AD%20accounts.%20For%20this%20you%20can%20check%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Fmanage%2Fset-password-expiration-policy%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Fmanage%2Fset-password-expiration-policy%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi All

 

Having difficulty trying to figure out the following

 

I have created a password policy on Intune for my MDM device (windows 10 pro)

However, i notice that the more restrictive policies always take precedence.

 

For example

Local machine has policy to expire user password every 5 days.

On Intune the policy for password expiration is set to 10 days.

Local machine password expiration policy will take effect. 

Likewise for option such as password length.

 

I will like to ask if

i) is that the expected behavior?

ii) is there anyway to force intune created policies onto the local device?

 

Thanks in advance!

Jimmy

 

 

3 Replies
The password policy only applies to local user accounts, not Azure AD accounts. For this you can check https://docs.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365...
Hi good morning

Normal when policies are pushed with intune the most restrictive one will win. But could you explaining the "local policy" part? do you have an hybrid environment/old gpo's which are pushing this setting?
If so, then you perhaps need to set ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP (https://www.anoopcnair.com/windows-10-mdm-csp-policies-override-group-policy-settings/)