Category filter

Troubleshoot password policy issues on Windows devices

With Hexnode UEM, IT admins can enforce password policy on Windows devices. However, the policy association might fail due to several device-specific reasons. This document provides insight into some troubleshooting measures which you can adopt to solve issues that might occur while associating a password policy on Windows devices via Hexnode UEM.

1. Password policy not getting associated with the device successfully and returns an error message stating ‘Invalid Payloads’.

Probable cause:

This can be caused if there are any password change restricted users on the device.

Solution:

Try executing the following script to check whether there is a password change restricted user on the device. You can use the Execute Custom Script action to execute a script.

$changePasswordRestrictedUsers = Get-LocalUser | Where-Object { $_.Enabled -eq $True -and $_.UserMayChangePassword -eq $False } 
Write-Host "Restricted user count: ", $changePasswordRestrictedUsers.count 
$microsoftAccounts = Get-LocalUser | Where-Object { $_.Enabled -eq $True -and $_.PrincipalSource -ne "Local" } 
Write-Host " Other users count: ", $microsoftAccounts.count

$changePasswordRestrictedUsers = Get-LocalUser | Where-Object { $_.Enabled -eq $True -and $_.UserMayChangePassword -eq $False }

Write-Host "Restricted user count: ", $changePasswordRestrictedUsers.count

$microsoftAccounts = Get-LocalUser | Where-Object { $_.Enabled -eq $True -and $_.PrincipalSource -ne "Local" }

Write-Host " Other users count: ", $microsoftAccounts.count

Output showing the number of password restricted user accounts on the device

If the code returns an output stating that restricted user accounts are present, then execute the following script. It removes the password change restriction of the users.

$changePasswordRestrictedUsers = Get-LocalUser | Where-Object { $_.Enabled -eq $True -and $_.UserMayChangePassword -eq $False } 
foreach ($user in $changePasswordRestrictedUsers) 
{ 
    $result = net user $user.Name "/PasswordChg:Yes" 
    Write-Host "Password change restriction for user", $user.Name, "is removed." 
}

$changePasswordRestrictedUsers = Get-LocalUser | Where-Object { $_.Enabled -eq $True -and $_.UserMayChangePassword -eq $False }

foreach ($user in $changePasswordRestrictedUsers)

{

$result = net user $user.Name "/PasswordChg:Yes"

Write-Host "Password change restriction for user", $user.Name, "is removed."

}

Output showing the password change restriction is removed from all user accounts

Note:

In the case of Windows devices enrolled via Native Enrollment method, you would have to manually disable the ‘User cannot change password’ setting on the device end before associating the password policy again. Follow the below steps to remove the password change restriction of a user:

Sign in from an administrator account.
Press the Windows + R key simultaneously. Type ‘compmgmt. msc’ in the run box and Click OK.
Navigate to Computer Management (Local) > System Tools > Local Users and Groups > Users.
Double-click on the user’s name whose password change restriction you want to remove.
Under the General tab, uncheck the option ‘User cannot change password’.
Click Apply and then press OK.

2. Password policy fails to associate with the device and returns an error message displaying ‘password->MinDevicePasswordComplexCharacters->Command failed].’

Probable cause:

There are two possible cases where the password policy will be failed,

The issue occurs when the device is connected to a Microsoft account and the password policy is applied.
The password policy failure issue could also occur if the local account present on the device is converted from a Microsoft account.

Solution:

To resolve this issue, ensure the device is not associated with any Microsoft account or local account converted from a Microsoft account. Remove all such accounts before applying the password policy.

Need more help?

Raise a Ticket

Ask Community

Chat With us