GMS auth.managed triggers SetNewPasswordActivity unexpectedly on Android Enterprise Fully Managed devices

e operate ~3000 Samsung Galaxy XCover Pro 2 devices (SM-G736B) running Android 16 (BP2A.250605.031.A3, security patch G736BXXSBGZC1) in Fully Managed Device Owner mode via Microsoft Intune. Devices are deployed in retail stores using Microsoft Managed Home Screen with Azure AD Shared Device Mode for store associate sign-in.

Sporadically, individual devices have started prompting end users to set a device screen lock credential, even though no Intune compliance policy or DPC-driven password policy requires one. Investigation of dumpstate logs shows that the SetNewPasswordActivity is launched by com.google.android.gms (specifically the auth.managed component, based on activity registration com.google.android.gms.auth.managed.ui.SetNewPasswordActivity):

2026-04-27 18:28:32.812 SetNewPasswordActivity: com.google.android.gms
2026-04-27 18:29:09.141 SaveAndFinishWorker: com.android.settings, ComponentInfo{com.android.settings/com.samsung.android.settings.biometrics.BiometricsChooseLockGeneric}
2026-04-27 18:29:09.150 Enroll [User 0 PASSWORD][com.android.settings:31522]

The dialog presents the user with what appears to be a high-complexity requirement (alphanumeric password, not PIN). Once the user complies and sets a credential, the device subsequently requires that credential after every restart, which breaks our shared device usage model.

Anyone have a clue what triggers GMS to require a passcode?

Best regards
//Niklas