Deploy Password Policies Using Intune Configuration Profiles | Device Restriction

Let’s learn how to deploy password policies using Intune on Windows 10 devices. We use Intune device restriction profile to deploy password policies for Intune managed Windows 10 devices.

Steps to Configure Device Restrictions Password Policies

Login to EndPoint.Microsoft.com
Navigate to Devices – Configuration Profiles – + Create Profile
Select Platform as Windows 10 and Later
Select Profile as Device Restrictions
Click on Create button

Deploy Password Policies using Intune Configuration Profiles

Enter the Name of the Intune Configuration Profile – HTMD Password Policy
Enter the Description HTMD Password policy using Intune out of box configuration profiles
Click on Next button
Click on Password Section from Configuration Settings

NOTE! – Make sure none of the other settings are configured if you want to deploy only password policy.

Let’s configure password policies as per your security team requirements
The following are the configurations which I selected for HTMD Password Policy

Password - Require
Required Password Type - Alphanumeric
Password Complexicity - Numbers and Lowercase Letters Required
Minimum password length - 6
Number of sign-in failures before wiping device - 11
Password expiration (days) - 41

Deploy Password Policies using Intune Configuration Profiles | Device Restriction 1 — Deploy Password Policies using Intune Configuration Profiles

Event Logs

The following information might help you to troubleshoot Intune password policies deployment.

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin

MDM PolicyManager: Set policy int, Policy: (MinDevicePasswordLength), Area: (DeviceLock), EnrollmentID requesting merge: (9A96DE87-65BD-437E-B915-14B601DAE840), Current User: (Device), Int: (0x6), Enrollment Type: (0x0), Scope: (0x0).

MDM PolicyManager: Set policy int, Policy: (AlphanumericDevicePasswordRequired), Area: (DeviceLock), EnrollmentID requesting merge: (9A96DE87-65BD-437E-B915-14B601DAE840), Current User: (Device), Int: (0x0), Enrollment Type: (0x0), Scope: (0x0).

Deploy Password Policies using Intune Configuration Profiles | Device Restriction 2 — Deploy Password Policies using Intune Configuration Profiles | Device Restriction 11

MDM PolicyManager: Set policy int, Policy: (MinDevicePasswordComplexCharacters), Area: (DeviceLock), EnrollmentID requesting merge: (9A96DE87-65BD-437E-B915-14B601DAE840), Current User: (Device), Int: (0x2), Enrollment Type: (0x0), Scope: (0x0).

Deploy Password Policies using Intune Configuration Profiles | Device Restriction 3 — Deploy Password Policies using Intune Configuration Profiles | Device Restriction 12

MDM PolicyManager: Set policy int, Policy: (DevicePasswordEnabled), Area: (DeviceLock), EnrollmentID requesting merge: (9A96DE87-65BD-437E-B915-14B601DAE840), Current User: (Device), Int: (0x0), Enrollment Type: (0x0), Scope: (0x0).

Deploy Password Policies using Intune Configuration Profiles | Device Restriction 4 — Deploy Password Policies using Intune Configuration Profiles | Device Restriction 13

MDM PolicyManager: Set policy int, Policy: (MaxDevicePasswordFailedAttempts), Area: (DeviceLock), EnrollmentID requesting merge: (9A96DE87-65BD-437E-B915-14B601DAE840), Current User: (Device), Int: (0xB), Enrollment Type: (0x0), Scope: (0x0).

Deploy Password Policies using Intune Configuration Profiles | Device Restriction 5 — Deploy Password Policies using Intune Configuration Profiles

Registry Entries

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\9A96DE87-65BD-437E-B915-14B601DAE840\default\Device\DeviceLock
- AlphanumericDevicePasswordRequired = 0
- DevicePasswordEnabled = 0
- MaxDevicePasswordFailedAttempts = 11
- MinDevicePasswordComplexCharacters = 2
- MinDevicePasswordLength = 6

Deploy Password Policies using Intune Configuration Profiles | Device Restriction 6 — Deploy Password Policies using Intune Configuration Profiles | Device Restriction 14

Video Deploy Password Policies using Intune

Watch this video on YouTube.

Deploy Password Policies using Intune

Resources

9 thoughts on “Deploy Password Policies using Intune Configuration Profiles | Device Restriction”

Varinida
June 17, 2020 at 11:02 pm
Informative !
Simon
February 25, 2021 at 6:26 pm
Did not find the policy. HTMD Password Policy in endpoint manager.
- Anoop C Nair
  February 25, 2021 at 6:42 pm
  You might be able to check the default password policy. The HTMD password policy is the one that I created for demo
  - venkanna
    September 19, 2022 at 3:52 pm
    if we change the password that password will sync to device without connecting on-prem domain controller.
Tristan
July 20, 2021 at 8:58 pm
Is there a way to change password policy but only have it apply the next time the user would normally have their passcode expire? We’re looking to move to a different passcode policy, but we’re hoping to not drop passcode changes on the entire company at once.
Manish kumar sah
May 30, 2022 at 12:17 pm
I tried it for particular user but it applies to all the users in the organisation
Manish Kumar sah
May 30, 2022 at 12:20 pm
As this works for Hello pin only, if i disable hello pin there is no use
I want the policy for user main password
saad
November 9, 2022 at 3:34 pm
Hi we have face issue on Hybrid Azure AD join devices while trigger Device Restriction Policy
Password expiration (days) intune error there are other standard user present who are not allowed to change their password
We have multiple Users any suggestions how to resolve this?
Gagandeep Singh
March 20, 2023 at 11:50 am
this policy is working successfully on the local user but not on azure ad user . what can be issue ?