How to Enable Alphanumeric Device Password Requirements Using Microsoft Intune

Start by navigating to the Microsoft Endpoint Manager admin center where you'll create a new device compliance policy specifically for alphanumeric password requirements.

Open your browser and navigate to https://endpoint.microsoft.com. Sign in with your administrator credentials.

Once logged in, follow this navigation path:

1. Click Devices in the left navigation pane
2. Select Compliance policies
3. Click + Create Policy
4. Choose Windows 10 and later as the platform
5. Select Device Compliance as the profile type
6. Click Create

In the Basics tab, configure these settings:

Name: Alphanumeric Password Required Policy
Description: Enforces alphanumeric password complexity on Windows devices
Platform: Windows 10 and later

Now configure the fundamental password requirements that will work alongside the alphanumeric complexity requirement. Click on the Compliance settings tab in your policy creation wizard.

Navigate to the Password section and configure these essential settings:

Require a password to unlock mobile devices: Yes
Minimum password length: 8 characters
Maximum minutes of inactivity before password is required: 15 minutes
Number of previous passwords to prevent reuse: 5
Password complexity: Alphanumeric
Number of failed sign-in attempts before wiping device: 10
Minutes of inactivity before password reset: 1

Pay special attention to the Password complexity setting. You'll see these options:

• Device default - Uses whatever the device currently requires
• Numeric - Numbers only (like a PIN)
• Alphanumeric - Letters and numbers required

Select Alphanumeric to enforce the requirement for both letters and numbers in passwords.

Also enable Block simple passwords to prevent common patterns like "123456" or "password".

For more precise control over password complexity, create a custom configuration profile using the DeviceLock Configuration Service Provider (CSP). This method provides granular control over exactly which character types are required.

Navigate to Devices > Configuration profiles > + Create profile.

Configure the profile basics:

Platform: Windows 10 and later
Profile type: Templates > Custom
Name: DeviceLock Alphanumeric Password CSP

In the Configuration settings, add a new OMA-URI setting:

Name: Minimum Password Complexity Characters
Description: Requires digits, lowercase, and uppercase letters
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordComplexCharacters
Data type: Integer
Value: 3

The complexity values work as follows:

Both your compliance policy and configuration profile need to be assigned to the appropriate device groups. Start with your compliance policy.

In your compliance policy, click on the Assignments tab. Configure the assignments:

Include groups: All Devices (or specific Entra ID groups)
Exclude groups: Pilot Test Group (recommended for initial testing)

For the DeviceLock CSP configuration profile, follow the same assignment process:

1. Open your DeviceLock configuration profile
2. Click Assignments
3. Select the same groups as your compliance policy
4. Ensure both policies target the same devices

Consider creating a phased rollout approach:

Phase 1: IT Test Group (10-20 devices)
Phase 2: Department Pilots (100-200 devices)
Phase 3: All Corporate Devices

Click Save on both policy assignments.

The most common reason for alphanumeric password policy failures is improper local account configuration. You need to ensure all local accounts can change passwords and have password expiration enabled.

On each target device, open an elevated Command Prompt or PowerShell and run these commands to identify problematic accounts:

# List all local user accounts
net user

# Check specific account properties (replace 'LocalAdmin' with actual username)
net user LocalAdmin

# Look for these problematic flags:
# - Password never expires: Yes
# - User may not change password: Yes

Fix any accounts with problematic settings:

# Enable password expiration for specific user
wmic useraccount where name='LocalAdmin' set PasswordExpires=TRUE

# Allow user to change password
net user LocalAdmin /passwordreq:yes

# Verify the changes
net user LocalAdmin

For multiple accounts, use this PowerShell script:

# Fix all local accounts at once
Get-LocalUser | Where-Object {$_.Enabled -eq $true} | ForEach-Object {
    Set-LocalUser -Name $_.Name -PasswordNeverExpires $false
    Write-Host "Fixed account: $($_.Name)"
}

After assigning policies, force a sync on test devices to immediately apply the new password requirements rather than waiting for the automatic sync cycle.

On target devices, open the Company Portal app and force a sync:

1. Open Company Portal app
2. Go to Devices
3. Select the current device
4. Click Check status
5. Click Sync

Alternatively, use PowerShell to trigger sync remotely:

# Force Intune policy sync
$session = New-CimSession
Invoke-CimMethod -CimSession $session -Namespace root/cimv2/mdm/dmmap -ClassName MDM_EnterpriseModernAppManagement_AppManagement01 -MethodName UpdateScanMethod

Monitor compliance status in the admin center:

1. Navigate to Devices > Monitor > Compliance status
2. Look for devices showing "Not compliant" status
3. Click on individual devices to see specific compliance issues

Check the Event Viewer on devices for detailed policy application logs:

Path: Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider
Look for Event IDs: 1906, 1907 (success) or 1908, 1909 (failure)

Once policies are applied, test the actual password change process to ensure users can successfully set alphanumeric passwords that meet the new requirements.

On a test device, attempt to change the password:

1. Press Ctrl + Alt + Del
2. Click Change a password
3. Try setting a numeric-only password (should fail)
4. Set a proper alphanumeric password (should succeed)

Test these password scenarios to verify enforcement:

❌ Fails: 12345678 (numbers only)
❌ Fails: password (letters only)
❌ Fails: Password (no numbers)
✅ Passes: Password123 (letters + numbers)
✅ Passes: MyPass2024 (mixed case + numbers)

Address Windows Hello PIN conflicts that commonly occur:

1. Go to Settings > Accounts > Sign-in options
2. Under PIN (Windows Hello), click Remove
3. Restart the device
4. Set up a new PIN that meets alphanumeric requirements

For devices experiencing PIN issues, use this PowerShell command:

# Reset Windows Hello PIN container
certlm.msc
# Navigate to Personal > Certificates
# Delete any "MS-Organization-Access" certificates
# Restart and recreate PIN

Monitor your deployment for common issues and implement fixes for the most frequent problems encountered during alphanumeric password policy rollouts.

Check for the most common error codes and their solutions:

Use this PowerShell script to check DeviceLock CSP application on devices:

# Check applied CSP values
dsregcmd /status

# Verify DeviceLock registry entries
Get-Item -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock" -ErrorAction SilentlyContinue

# Check specific complexity setting
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock" -Name "MinDevicePasswordComplexCharacters" -ErrorAction SilentlyContinue

For domain-joined devices showing policy conflicts:

Generate a compliance report to verify successful deployment:

1. Go to Reports > Device compliance
2. Select Device compliance report
3. Filter by your alphanumeric password policy
4. Export results for documentation

Create an ongoing monitoring process:

Daily: Check compliance dashboard for new non-compliant devices
Weekly: Review error codes and trends
Monthly: Audit local account configurations on sample devices