We are running into an issue where Password requirements (8-12 Ch@arac7ers) are now used as PIN requirements for Intune Managed (AAD Joined) devices.
In Intune, Windows Enrollment, Windows Hello for Business (assigned to All Users); but disabled.
The password policy is coming from on-prem Windows AD; using ADSync to sync user accounts OU (only) to Microsoft365. Curious why this is happening since each machine is 'Wiped' and deleted from Windows AD before joining to AzureAD.
Take a look if you have a Device Configuration Profile for Hello defined. That's another place where the PIN policy can be set. Also, you only have WHFB "Not Configured" which means "leave things at their default." It's possible someone went in earlier and set the policy values before flipping it back to "Not Configured" and hence a complex PIN requirement has been previously set.
Try to explicitly "Disable" the WHFB policy if you don't want it on. You may need to temporarily "Enable" it so you can go in and change the "Special Characters in PIN" to "Not Allowed" or whatever else you want to set before saving the policy.
If you previously had a PIN policy set via GPO, the Intune CSP should take effect and supplant it.
A fallback option could be to try setting these registry keys via script to reduce PIN complexity: Change PIN Complexity Requirements Policy in Windows 10 | Password Recovery (top-password.com).
Please like or mark this thread as answered if it's helpful, thanks!
Accepted Solutions