I'm dealing with a frustrating issue in our setup where our Intune device enrollment policy mandates that users change their system PIN every 60 days. We also have separate local admin passwords for older machines, which we unified through a PowerShell script. However, the local admin passwords are still expiring every 60 days, despite the script indicating that they should never expire. I would love to hear some suggestions on how to better manage this situation!
4 Answers
Have you considered using Local Administrator Password Solution (LAPS)? It can simplify password management and is designed to handle similar situations.
Honestly, a 60-day PIN change seems a bit excessive. If security is a major concern, you might explore alternative authentication methods like Fido2 keys instead. Also, LAPS can work well with Intune to automate password updates without needing to force frequent changes.
I totally agree. Even NIST suggests not forcing password changes unless there's a suspicion of compromise.
It's interesting that you're insisting on tight security with frequent PIN resets while also trying to unify passwords across machines. It seems contradictory! You might want to revisit your strategy considering user convenience as well.
This issue often pops up when Intune policies apply to devices instead of just users. Even if your scripts set the 'PasswordNeverExpires' attribute, Intune can override this. You might want to adjust the Intune password policy settings to either 'Not Configured' or limit the scope just to users. For a solid solution, implementing LAPS is the way to go! If you need a quick fix, consider setting a scheduled task to reapply the 'PasswordNeverExpires' setting after every Intune sync.
Yeah, LAPS could really streamline things for you once you set it up!