In your Intune environment, if you have Windows devices enrolled as BYOD and receive complaints from users and local IT teams regarding such devices being marked as non-compliant due to your enforced password compliance policy, then this blog post is for you.
Table of Contents
Decoding Intune Compliance: Why Password Policy Adherence May Still Result in Non-Compliance
Understanding the scenario:
You have a personal Windows device configured with a Microsoft account and registered and enrolled as BYOD in Intune. Depending on the grace period state of the enforced password compliance policy, when you check the status of the device in the company portal, you see that the device status is marked as either
- Can access company resources, but action required (device is non-compliant but in grace period), or
- Can’t access company resources (post grace period expiration)
as it does not meet several compliance checks, one of which is the password requirements.
In the Intune portal, when you check for the device compliance state, you see the device is marked non-compliant against the compliance policy that enforces password requirement checks.
The compliance policy in effect is configured as below.
You confirm that you have set a password for the MS account that meets the password requirements as being enforced above, but still, Intune evaluation of password compliance turns up in error.
Hence the question of the blog,
Why Intune compliance evaluation fails marking the device as non-compliant even when the password for the MS account is set to conform with the compliance policy requirements?
Answer/Clarification:
The values as configured for the highlighted configuration items, namely Minimum password length and Password complexity are the reason why the Intune compliance policy is not able to evaluate password compliance for BYOD Windows devices provisioned with a Microsoft account and thus marking them as non-compliant.
Password requirement enforcement on a managed Windows device is handled via the DeviceLock Policy CSP which makes use of the EAS Policy Engine and looking at both places, we can find the supported password enforcement requirement for Microsoft Account as documented by MS.
From the above, in simple words, we can reiterate that
Intune compliance will be able to evaluate password compliance for Windows BYOD provisioned with Microsoft account only if the effecting compliance policy is set to enforce a requirement of minimum password length of 8 character, and password complexity set to 2.
Note: The complexity values refer to
| 1 | Digits only |
| 2 | Digits and lowercase letters are required |
| 3 | Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. |
| 4 | Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop. |
Thus for a Windows device setup with an MS account, registered and enrolled as BYOD in Intune, Intune will be able to successfully evaluate password compliance only when the enforcing policy requires a minimum password length of 8 characters (or less) and a password complexity of value 2 (or less).
If the enforced password requirement is set to evaluate a password for more than 8 characters and stronger complexity, and you have set the password of your Microsoft account conforming to the same, still Intune compliance will not be able to evaluate the same and return the compliance check as failure.
Ending
As an Intune administrator, it is important to know about the limitations of certain configurations and be aware of the same so as not to enforce undue configuration that causes inconvenience to users thereby disrupting their work productivity.
1 Trackback / Pingback
Comments are closed.