SOLVED

Windows Password requirements are applying to PIN requirements

Occasional Contributor

We are running into an issue where Password requirements (8-12 Ch@arac7ers) are now used as PIN requirements for Intune Managed (AAD Joined) devices.

 

somaji_0-1666111104721.png

 

 

In Intune, Windows Enrollment, Windows Hello for Business (assigned to All Users); but disabled.

somaji_0-1666110608874.png

 

The password policy is coming from on-prem Windows AD; using ADSync to sync user accounts OU (only) to Microsoft365. Curious why this is happening since each machine is 'Wiped' and deleted from Windows AD before joining to AzureAD.

3 Replies

@somaji 

 

Take a look if you have a Device Configuration Profile for Hello defined. That's another place where the PIN policy can be set. Also, you only have WHFB "Not Configured" which means "leave things at their default." It's possible someone went in earlier and set the policy values before flipping it back to "Not Configured" and hence a complex PIN requirement has been previously set.

 

Try to explicitly "Disable" the WHFB policy if you don't want it on. You may need to temporarily "Enable" it so you can go in and change the "Special Characters in PIN" to "Not Allowed" or whatever else you want to set before saving the policy.

 

If you previously had a PIN policy set via GPO, the Intune CSP should take effect and supplant it.

 

A fallback option could be to try setting these registry keys via script to reduce PIN complexity: Change PIN Complexity Requirements Policy in Windows 10 | Password Recovery (top-password.com).

 

Please like or mark this thread as answered if it's helpful, thanks!

IntunePinWhfbPolicy.png

Noticed from the screenshot that this appears to be a machine running Windows 11. Any chance you may have perhaps installed the 22H1 update that just recently dropped? We haven't moved to Win11 yet, so I haven't seen it firsthand, but stumbled across this the other day while researching something different:

https://www.bleepingcomputer.com/news/microsoft/windows-11-22h2-blocked-due-to-windows-hello-issues-...

Apparently 22H1 had some issues with Windows Hello that were bad enough that MS pulled it while working on a fix. Just a thought.
best response confirmed by somaji (Occasional Contributor)
Solution
Thanks Kurt for the information. This was, possibly, due to someone "whose title we shalt not utter". Enabled the WHFB PIN configuration on the tenancy and disabled it.

After research, it was determined that once enabled for a tenant the configuration takes effect immediately and implemented. And, if disabled, the configuration cannot be removed. The only option, was to enable the PIN in Enrollment settings and configure.

Microsoft Documentation states the Auto-enrollment PIN configuration Precedence: WHFB, GPO, then device