Share via

Windows Hello for Business effective PIN Complexity different from Intune policy assigned values

Mataire, Blessing 0 Reputation points
2024-09-23T08:05:48.6233333+00:00
  • I have configured and assigned an Intune policy for managing Windows Hello for Business password complexity.
  • The policy blocks Special Characters, Lowercase and Uppercase characters so that the user only uses digits
  • The policy is applying and reflecting in the registry
  • However, the device is enforcing the defaulting the default MS PIN requirements i.e. (Allow small letters, Allow Uppercase, Allow Special Characters)
  • Tested using an Identity Protection policy, Settings Catalogue and CSP

Has anyone encountered this before?

Microsoft Security | Intune | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-09-24T01:53:44.11+00:00

    @Mataire, Blessing Thanks for posting in our Q&A.

    For this issue, please check if there is any Local GPO configured. Windows Hello for Business can be configured by GPO or CSP, but not a combination of both. Avoid mixing GPO and CSP policy settings for Windows Hello for Business, as it can lead to unexpected results. If you mix GPO and CSP policy settings, the conflicting CSP settings aren't applied until the group policy settings are cleared.

    At the same time, please check if the registry key is the value you configured in intune. If yes, but it still works different from Intune policy, it seems something wrong about windows, because what intune can do is based on windows CSPs provided. Give this situation, it is suggested to create an online support ticket to get more accurate help. Here is the support link:

    https://learn.microsoft.com/en-us/mem/get-support

    Thanks for your understanding and hope everything goes well with you.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Thierry Eppner 181 Reputation points
    2024-09-23T09:02:03.6266667+00:00

    Hey there,

    This definitely sounds like a frustrating situation! You've clearly done the work to configure the Intune policy correctly, and it's puzzling why the device isn't enforcing the restrictions.

    Here are a few ideas that might help:

    Device Enrollment Type: Is the device enrolled as Hybrid Azure AD Joined or Azure AD Joined? Some policy settings might behave differently depending on the enrollment type. Double-check that your Intune configuration is appropriate for your enrollment scenario.

    Policy Conflict: Is there any chance another policy (Group Policy, local policy, or another Intune policy) could be overriding your Windows Hello for Business PIN complexity settings? It's worth investigating if there might be a conflict somewhere.

    Device Sync: Make sure the device has recently synced with Intune to receive the latest policy updates. You could try forcing a sync from the Intune portal or on the device itself.

    If you can provide more details about your environment (enrollment type, OS version, Intune policy configuration, etc.), it might help identify potential solutions or workarounds.

    Hopefully, these ideas will help you pinpoint the cause of the issue and don't hesitate to ask if you have any further questions!

    Best,
    T.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.