Let’s learn how to deploy password policies using Intune on Windows 10 devices. We use Intune device restriction profile to deploy password policies for Intune managed Windows 10 devices.
Steps to Configure Device Restrictions Password Policies
- Login to EndPoint.Microsoft.com
- Navigate to Devices – Configuration Profiles – + Create Profile
- Select Platform as Windows 10 and Later
- Select Profile as Device Restrictions
- Click on Create button

- Enter the Name of the Intune Configuration Profile – HTMD Password Policy
- Enter the Description HTMD Password policy using Intune out of box configuration profiles
- Click on Next button
- Click on Password Section from Configuration Settings
NOTE! – Make sure none of the other settings are configured if you want to deploy only password policy.

- Let’s configure password policies as per your security team requirements
- The following are the configurations which I selected for HTMD Password Policy
Password - Require Required Password Type - Alphanumeric Password Complexicity - Numbers and Lowercase Letters Required Minimum password length - 6 Number of sign-in failures before wiping device - 11 Password expiration (days) - 41

Event Logs
The following information might help you to troubleshoot Intune password policies deployment.
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
MDM PolicyManager: Set policy int, Policy: (MinDevicePasswordLength), Area: (DeviceLock), EnrollmentID requesting merge: (9A96DE87-65BD-437E-B915-14B601DAE840), Current User: (Device), Int: (0x6), Enrollment Type: (0x0), Scope: (0x0).

MDM PolicyManager: Set policy int, Policy: (AlphanumericDevicePasswordRequired), Area: (DeviceLock), EnrollmentID requesting merge: (9A96DE87-65BD-437E-B915-14B601DAE840), Current User: (Device), Int: (0x0), Enrollment Type: (0x0), Scope: (0x0).

MDM PolicyManager: Set policy int, Policy: (MinDevicePasswordComplexCharacters), Area: (DeviceLock), EnrollmentID requesting merge: (9A96DE87-65BD-437E-B915-14B601DAE840), Current User: (Device), Int: (0x2), Enrollment Type: (0x0), Scope: (0x0).

MDM PolicyManager: Set policy int, Policy: (DevicePasswordEnabled), Area: (DeviceLock), EnrollmentID requesting merge: (9A96DE87-65BD-437E-B915-14B601DAE840), Current User: (Device), Int: (0x0), Enrollment Type: (0x0), Scope: (0x0).

MDM PolicyManager: Set policy int, Policy: (MaxDevicePasswordFailedAttempts), Area: (DeviceLock), EnrollmentID requesting merge: (9A96DE87-65BD-437E-B915-14B601DAE840), Current User: (Device), Int: (0xB), Enrollment Type: (0x0), Scope: (0x0).

Registry Entries
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\9A96DE87-65BD-437E-B915-14B601DAE840\default\Device\DeviceLock
- AlphanumericDevicePasswordRequired = 0
- DevicePasswordEnabled = 0
- MaxDevicePasswordFailedAttempts = 11
- MinDevicePasswordComplexCharacters = 2
- MinDevicePasswordLength = 6

Video Deploy Password Policies using Intune
Resources
- ✔ https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-configure
- ✔ https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10
- ✔https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock
- Create Deploy Group Policy Using Intune Administrative Template
Informative !
Did not find the policy. HTMD Password Policy in endpoint manager.
You might be able to check the default password policy. The HTMD password policy is the one that I created for demo
if we change the password that password will sync to device without connecting on-prem domain controller.
Is there a way to change password policy but only have it apply the next time the user would normally have their passcode expire? We’re looking to move to a different passcode policy, but we’re hoping to not drop passcode changes on the entire company at once.
I tried it for particular user but it applies to all the users in the organisation
As this works for Hello pin only, if i disable hello pin there is no use
I want the policy for user main password
Hi we have face issue on Hybrid Azure AD join devices while trigger Device Restriction Policy
Password expiration (days) intune error there are other standard user present who are not allowed to change their password
We have multiple Users any suggestions how to resolve this?
this policy is working successfully on the local user but not on azure ad user . what can be issue ?