Fixing Policy Conflicts in Intune: Why Local Admin Passwords Keep Expiring and How to Fix It

By /
🧩 Fixing Policy Conflicts in Microsoft Intune: Why Local Admin Passwords Still Expire

When managing Windows devices through Microsoft Intune, you might face a frustrating situation — your local administrator account password keeps expiring even though it’s set to never expire via PowerShell. This is a common issue discussed in the sysadmin community, and it highlights how Intune device policies can override local configurations.

This post breaks down the problem, explains why it happens, and outlines proven solutions, including using Windows LAPS (Local Administrator Password Solution) for proper password lifecycle management.

🧠 Understanding the Problem

A system administrator set up a PowerShell script to unify local admin passwords across devices and ensure they never expire:

Set-LocalUser -Name "Administrator" -PasswordNeverExpires $true

However, even after this configuration, the Intune policy continued enforcing password changes every 60 days. This happened because Intune’s device configuration policies apply at the system level, overriding any local PowerShell settings or group policy preferences.

Essentially, Intune enforces whatever password aging rule is defined in its profile, regardless of manual local settings. So if your device password policy specifies a maximum password age, all local accounts — including the built-in administrator — are affected.

🔍 Why It Happens

There are three main reasons why Intune can cause this conflict:

  1. Device Policy Enforcement
    • Intune device policies (e.g., “Password expiration (days)”) apply globally to the device, not just to user accounts.
    • Even if a local account is configured with PasswordNeverExpires, the device policy will override that setting during the next sync.
  2. Incorrect Policy Scope
    • If password policies are scoped to devices instead of user groups, local admin accounts may fall under enforcement unintentionally.
  3. Policy Sync Behavior
    • Every Intune sync refreshes device configuration baselines.
    • This means that even if you fix the password manually, Intune will reset it according to the applied compliance policy after every sync.

🧰 Solutions and Workarounds

1. Use Windows LAPS (Recommended Solution)

Windows Local Administrator Password Solution (LAPS) is now built directly into Windows 10/11 and integrates with Intune.

Why it’s the best option:

  • Automatically generates strong, unique local admin passwords per device.
  • Stores passwords securely in Entra ID (or Active Directory).
  • Automatically rotates passwords on a schedule you define.
  • Not affected by Intune password expiration rules.

How to deploy:

  1. In Intune Admin Center, go to Endpoint Security > Account Protection.
  2. Create a Windows LAPS policy.
  3. Configure password rotation, storage, and backup options.
  4. Assign the policy to your device groups.
  5. Monitor password retrieval in Intune > Devices > Local Administrator Passwords.

2. Adjust the Intune Password Policy

If you’re not ready to move to LAPS, modify the existing policy to prevent local password expiration conflicts.

Steps:

  1. Go to Devices > Configuration Profiles.
  2. Select your Device Restrictions policy.
  3. Navigate to Password settings.
  4. Set “Password expiration (days)” to Not Configured.
  5. Reassign or re-scope the policy to user groups only (not devices).

This ensures the password aging rule doesn’t apply to local accounts.

3. Scheduled PowerShell Workaround

For environments with legacy systems or transitional configurations, a workaround is to reapply the PasswordNeverExpires flag after every Intune sync.

Create a scheduled task:

$TaskAction = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command Set-LocalUser -Name 'Administrator' -PasswordNeverExpires \$true"
$TaskTrigger = New-ScheduledTaskTrigger -Daily -At 12:00AM
Register-ScheduledTask -Action $TaskAction -Trigger $TaskTrigger -TaskName "ReapplyPasswordNeverExpires" -Description "Reapply PasswordNeverExpires for local admin"

This isn’t ideal long-term, but it ensures compliance while preventing service interruptions.

🔐 Security Perspective

Several users in the thread mentioned that forcing password changes every 60 days is an outdated security approach. According to NIST SP 800-63B:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”

Modern best practices recommend:

  • Strong unique passwords instead of frequent resets.
  • Passwordless authentication (e.g., FIDO2 keys, Windows Hello for Business).
  • Conditional Access policies for risk-based authentication.

⚙️ Best Practices to Avoid Policy Conflicts

  1. Use LAPS for all local admin password management.
  2. Separate device and user policies to prevent overlap.
  3. Document policy inheritance to track which configurations affect which device types.
  4. Regularly check Intune’s “Policy Conflicts” report under:
    • Devices > Monitor > Policy Conflicts
  5. Test new password policies on pilot groups before broad deployment.

🪟 Example Deployment Scenario

Let’s say your organization enforces a 60-day password expiration policy for users.
However, you also have a standard local admin account used for IT support tasks.

Old setup:

  • Intune device policy applies to both user and device objects.
  • Local admin passwords expire every 60 days.
  • Admins must manually reset and reapply PasswordNeverExpires.

Improved setup:

  • Deploy Windows LAPS.
  • Configure Intune password policy to apply only to Entra user accounts.
  • Verify using Policy Conflicts Report that local admin is excluded.
  • Enable Just-in-Time elevation using Endpoint Privilege Management (EPM) for secure access.

🧾 Summary

IssueCauseSolution
Local admin password expires every 60 daysIntune device policy overrides PowerShellAdjust Intune password policy or scope
PowerShell setting ignoredIntune sync resets local configurationUse LAPS or reapply setting via scheduled task
Overly strict password rotationOutdated security modelFollow NIST SP 800-63B guidelines
Manual management overheadLack of automationImplement Windows LAPS

🧩 Final Recommendation

For modern, secure, and conflict-free management of local admin passwords:

  • Adopt Windows LAPS integrated with Intune.
  • Simplify password policies to reduce administrative overhead.
  • Embrace passwordless authentication for better compliance and user experience.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top