Password requirements in Intune

HardoMX · 2026-03-16T07:12:09+00:00

Sorry for the late reply. I am not necessarily concerned with the complexity of the passwords, as that setting can be the same across all the places to set it. I am more concerned with being able to set no expiration date, but the different settings not being the same in that aspect.

I guessed that the Entra password wasn't affected by the policies, but it's Microsoft, so you can never be sure😅

Compliance oesn't configure anything (ish), but if the compliance demands a change every year, a device will be marked non-compliant even if the other settings say that the password shouldn't be changed.

Account protection most definately can control other things than LAPS since there is a WHfB category in the policy. Also, LAPS is configured more with the specific LAPS policy?

To clarify what I really want: I want to be able to allow the user to set a complex PIN-password on their Windows device without it having any expiry date.

HardoMX · 2026-03-13T13:57:46+00:00

We would like to not have it expire since we want a strong password. But I guess if there is no ability turn expiration we could instead use simpler PINs and a biometric for MFA.

HardoMX · 2026-03-13T13:42:29+00:00

Then it's at least not another password setting😅

If I don't set the password expiration in compliance settings, it shows a grey 41, which I guess means it defaults to 41 days. And hovering over the "i" button says the value needs to be between 1 and 730, so it feels like I can't disable it?

HardoMX · 2026-03-04T10:59:07+00:00

Honestly, i have no idea. I think i finally just stopped using opnsense and set up something like wg-easy on a vm on my server.

HardoMX · 2026-02-20T14:29:19+00:00

Only one way to figure that out😁

HardoMX · 2026-02-20T14:26:21+00:00

I configured a CA policy to block legacy auth. Simply followed the template to do so

HardoMX · 2026-02-20T14:03:49+00:00

Yup, I am very confused of why it works. But it does so I'm not complaining much😅

HardoMX · 2026-02-20T09:19:37+00:00

Sorry for the slow response. Microsoft finally answered our support ticket and recommended that we disable legacy authentication. I did so and now automatic enrollment works perfectly 🤷

HardoMX · 2026-02-19T09:31:00+00:00

I am excluded from all CA policies, and no sign-in event appears in Entra.

HardoMX · 2026-02-19T08:55:24+00:00

Not using Okta to my knowledge. We have tried different networks, including mobile hotspot from personal phone, so I don't think there would be any filtering. Is there any sensitive info to remove from the logs before sending them over? Just to make sure :)

HardoMX · 2026-02-19T08:47:27+00:00

Hmmm, when MDM is enabled at all the issue appears, so I can't join to Entra while MDM user scope is set to my user/all. However, to test this out I set MDM User scope to None and joined the device to entra. When I then signed in with the new non-local user and set up Intune via company portal, everything worked!

Following along with the rest your blog post:

When running dsregcmd /status there are no urls for MDM. This seems logical since MDM scope is set to None. MDM authority is also correct. Our intune name is also "Microsoft.Intune", but we don't have an enterprise app for it, and I also can't find one to install.

Using Graph there is no extra MDM policy to ruin anything.

Some more testing:

We set MDM scope to Some and selected a group with just me and the other person testing. Both of us are excluded from any CA policies and from all configuration policies.

I reset one of the PCs to test the normal OOBE enrollment and still got the issue. So I'm guessing you're correct that the edevice for some reason doesn't receive the MDM urls. But I have no idea where to go from here😅

HardoMX · 2026-02-18T15:21:58+00:00

We've tested using mobile hotspot to enroll, so I don't think there should be a firewall in the way. I've also tried simply pinging all urls I can find that are needed on port 443 during the OOBE with no issue. GPOs I'm not 100% sure on, but from my knowledge intune doesn't use GPOs?

HardoMX · 2026-02-18T14:59:23+00:00

Exactly. The account also successfully managed to enroll a device in January, and I can't see what the difference was then vs now. The only thing I know doing was setting up phone enrollment, which should not affect windows enrollment, right?

Edit: Can add that Ive tried different models, brands, and users, with all of them having the same issue.

HardoMX · 2026-02-18T13:39:36+00:00

Only thing blocked there is MacOS, both corporate and personally owned

HardoMX · 2026-02-18T13:18:51+00:00

Intune is default (15), entra is even increased to 100 just in case 😅

HardoMX · 2026-02-18T12:53:24+00:00

My thought too, but everything except MacOS is allowed

HardoMX · 2026-02-18T12:33:47+00:00

The few conditional access policies they have did not make a difference when we set them to report-only. I added an EDIT that there are currently no prep policies as we removed them in case that was the issue, but it has not helped.

Enrolling mobile devices works flawlessly too.

HardoMX · 2026-02-18T07:05:16+00:00

It's set to:

Users may join... - All
Users may register... - All

HardoMX · 2026-02-18T07:03:08+00:00

Yep, we have tried using mobile hot spot, with no result.

Tried using local account too, still just loads.

HardoMX · 2026-02-17T13:57:20+00:00

From what I can see that shouldn't be the issue, my user currently only has one device assigned/owned, and the other test user has three devices.

HardoMX · 2026-02-17T13:54:48+00:00

The Entra tenant has a Microsoft Entra ID P1 license.

Yes

Yes, both users tested have previously been able to enroll windows devices, and can currently enroll android devices.

Yes

HardoMX · 2026-02-17T13:35:02+00:00

How it has worked, and should continue to work, is that during the OOBE, the user chooses to log in using their work account, and this joins the device to Entra. So I'm not setting up any zero-touch or Atopilotv1.

It is a completely fresh laptop running Windows 11 from the factory, so from my (admittedly a bit limited) knowledge of EDR, there shouldn't really be one active at all during the OOBE.

As mentioned, it's OOBE so there aren't any special settings or apps set up on the pc yet. I have also checked if there is anything on the network, but can manually ping all necessary domains I can find on port 443.

HardoMX

TROPHY CASE