Whilst working with a customer to review their Windows Phone 8.1 configuration policies in preparation for upgrading to Windows 10 Mobile I came across an issue.
My customer is using Intune Hybrid and aligns end users into “risk profiles” based on their job function. Each of the risk profiles has a different set of MDM policy settings (baselines) that secure and configure the device. Simplistically, the greater the risk profile, the more restrictive the policy applied – the most noticeable following device enrolment is the PIN requirements.
Any user in the “low risk” profile is currently required to have a 4-digit PIN number, and my customer wanted this to be maintained for those users upgraded to Windows 10 Mobile.
So far so good, however on enrolling a test Windows 10 Mobile (version 1607) I found that irrespective of the password settings configured in the policy the device would prompt for a password to meet the following requirements:
- Min. password length: 6
- Max. password length: 127
- At least one uppercase character
- At least one lowercase character
- Can include a digit
- At least one special character
- Cannot be 123456 or 111111
Following a quick internet search I found the following article which suggests that this is by design and therefore expected when running the Redstone 1 (RS1) version of Windows 10 Mobile – AKA 1607 or the Anniversary Update.
Issue 98289: Password policy changes automatically after update to Windows 10 Mobile RS1
Slightly annoyed, and with my customer not keen to inflict this level of PIN complexity on all their users I continued my search to understand why this was happening. Following my research, I began to suspect a conflict with Windows Hello / Passport for Work and suddenly the unintended password policy requirements sounded familiar – Within the SCCM Intune subscription properties (Administration -> Cloud Services -> Microsoft Intune Subscription -> Configure Platforms -> Windows -> Passport for Work) is the following configuration:
My customer only has mobile devices enrolled in Intune, the majority being Windows Phone 8.1 and a few pilot Windows 10 Mobiles so we decided to test the outcome of setting Passport for Work to “Not configured”. On testing I found that it made no difference to any Windows 10 Mobile device already enrolled, however any new enrolments would correctly apply the intended PIN policy. I next tested setting “Disable Passport for Work for enrolled devices” with the hope this would “fix” already enrolled devices and apply the desired PIN policies – it did not. In this configuration I was unable to apply a PIN requirement more complex than 4-digits, and again it made no difference to any Windows 10 Mobile device already enrolled.
Luckily for me there was no requirement to support Windows 10 desktops or laptops via Intune, and as none of the Windows 10 Mobiles supported Windows Hello I could set the Passport for Work configuration as “Not configured”. In this configuration the various PIN policies were applied as expected and I was able to meet my customers requirements.