AVD Intune Managed devices - Local Admin account logon issues

Jason P 116 Reputation points
2024-07-02T13:37:49.7+00:00

Hey All,

I have an issue where creating an AVD Hostpool with VMs that are Entra Joined and managed by intune, when trying to RDP directly on to the VMs with the local admin account that I specified during the setup it tells me that the account needs to have the password changed at first logon and as a result will not let me log in to them. I have gone through all my intune configs and there is nothing there that I can find that stipulates this for the local admin.

When I create the host pool and only have Entra joined and NOT intune managed I can RDP to the devices with the local admin account. Does not seem to have set the "change password and next logon" for that account.

Has anyone come across this or know how I can resolve this?

Thanks

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,429 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,664 questions
Accepted answer
  1. Crystal-MSFT 45,656 Reputation points Microsoft Vendor
    2024-07-03T01:57:37.01+00:00

    @Jason P, Thanks for posting in Q&A. For your issue, we would like to confirm if we set password compliance policy on the device.

    Based on my researching, if we have set this, this is a by design behavior. On Windows devices the compliance -password policy affect’s the local user accounts on the machine. However, due to security reasons windows doesn’t store any password metadata so that we don’t expedite brute force efforts. Also, we aggressively purge passwords once they are no longer necessary shortly after logon. As a result, we don’t have the data available at the time that a password policy arrives to know if it is satisfied. And that’s the reason for password must reset at next logon is that the Intune delivered policy affects local accounts and we as have no means to tell what the current password properties the only method is then the OS has to enforce policy is to mark the local accounts as password has expired.

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest