Restrict which users can logon into a Windows 10 device with Microsoft Intune

Today a short article in which I show how we can restrict which users can logon into a Azure AD joined Windows 10 device with Microsoft Intune.

Intune or Azure Active Directory don`t provide an out-of-the-box solution for this, but with a custom Intune profile we can do the job.

My first thought was to remove Authenticated Users from the build-in Users group with the Configuration Service Provider (CSP) policy ConfigureGroupMembership and add the Azure AD users which are allowed to sign-in to the device to the Users group.
I was successful in removing Authenticated Users and adding the AAD users, but other users where still able to sign-in to the device.

At that moment I realized, I already used such a solution for a Windows 10 kiosk device, which is described here. Here I restricted the logon rights to only local accounts by using CSP policy AllowLocalLogon (User Right to Sign In Locally).

After some testing I was able to add multiple Azure AD account to the AllowLocalLogon setting, which prohibits other users from logging on into the Windows device.

Configure the Custom Configuration profile

To achieve the required restrictions, we use the CSP policy AllowLocalLogon. To deploy the policy setting to a Intune managed device, we need to use a Custom Configuration profile.

  • Choose Windows 10 and later as Platform
  • Choose Custom as Profile type
  • Click Create
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Click the Settings tab
  • Click Add

Information needed to create the OMA-URI and additional information can be found on Microsoft Docs here.
In the value field, we need to enter the accounts which we allow to sign-in to the device. Where the documentation describes the CDATA tag <![CDATA[…]]> needs to be used, this gives an error in the Intune portal (even though the policy is applied with success). You can just add the account in the value field.
When you add multiple accounts, the accounts should be separated with &#xF000; when using the CDATA tag. When we don`t use the CDATA tag, we need to convert &#xF000; via for example this tool. The outcome (square box), can be used as a separator.

Enter below information to the policy;
Name: UserRights – AllowLocalLogOn
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
Data Type: String
Value:
AdministratorsAzureAD\demo.user@peterklapwijk.com

Click OK (twice) and click Create.

Assign the profile to a security group and your ready for testing.

End-user experience

As soon as the policy is applied to the device, we can see in the MDMDiagnostics log the settings are successfully applied.

And when a user tries to sign in to the Windows 10 device, which is not granted the User Right to Sign In Locally (AllowLocalLogOn), he is prohibited and receives this error message.
The sign-in method you`re trying to use isn`t allowed. For more info, contact your network administrator.

That`s it for this post, thank you for reading!

If you`d like to read how we can create a local user account with Intune, read this post.

Thanks to Mark Thomas for the workaround mentioned on Twitter.

27 Comments

  1. I like your method – I was wondering if this could be reversed. If I wanted to restrict a group from logging into certain computers?
    I have a group of shared temp accounts, I want them to only be able to sign into certain computers. So maybe a domain wide config that “excludes” this particular group of users?? Is that possible?

        • Hi Helmer,

          I tried that. The AAD group is added to the local group, the local group is assigned the AllowLocalLogon right, but still it didn`t work.
          The member of the AAD group isn`t allowed to logon. Just as a test is also added an AAD user to the same local group and that account was allowed to logon.
          Probably something isn`t working in the nesting chain with AAD group, the members and the local right.

          • Hi Peter,

            I am not sure the exact value that needs to go in it says AdministratorsAzureAD\user@xyz.com. What is the question mark symbol betweek Administrators and AzureAD and can I specify this policy as user@xyz.com or how do I do this for all user? Let us say I login to the device as User1 and User3 my User1 is jon.doe@xyz.com and User3 is don.king@xyz.com.

            How would I put this value for all users? I do not want to be specific and it cannot be as it has to be generic for all users. I hope I am clear in that I asking for?

  2. Hi Peter,
    I followed your guidelines but I am unable to access with any user .
    our local admin is being renamed to something else and I replace the line Administrator to admin-temp but I cannot login with it .
    What I am missing ?

    • Hi Guy,

      I wouldn`t remove the administrators group from the setting. As your admin-temp is member of that, he should be able to logon to the device.
      If that works fine, add an user (or group) next to the administrators group and try to logon. If it doesn`t work, you`re at least able to sign-in with an administrator account and able to review the event logs.

  3. I want to do a 1 to 1 configuration, that is, assign only one user to a laptop, I have 10 users and 10 laptops. I have to create a personalized profile for each user?

      • Do you have any solutions for this? I don’t want to create a personalized profile for each user tbh
        i can grab the user sid with a powershell script, that’s no problem. but how to automate config-profile & oma-uri settings? any ideas?

  4. Hi, thanks for your response.

    that how can I do it ??? I think it can be with OMA-URI AllowLocalLogOn but I am not very clear how to do it. You can help?

  5. Is there any option to perform this for an AzureAD group? Nesting does not work and I have a situation where 300 users are allowed to logon and all others not.
    The idea to add the primary user would be a perfect solution. Perhaps with an Powershell that runs on first logon?

  6. Since using this, The kioskuser0 account is not permitted login and the kiosk configuration doesn’t work. Please can you advise what needs to be added to allow that user to login? I’ve tried .\kioskuser0 but then i receive an error message in the oma-uri policy application.

    • I am getting the same error message. Were you able to resolve this issue? If so, can you let me know what method was used? Thank you!

  7. Hi Peter
    Is it mandatory to add the AAD prefix before the user to have it working?
    Thanks

  8. Hello Peter,

    I have problems with the mentioned decoding. It does not recognize the  that I set in between the characters. Any idea how to fix this separator issue? I tried it in Chrome and in Edge to make sure it has nothing to do with how the Browser recognizes the character.

  9. So how would you undo this profile? It looks like this method removes Administrators, Backup Operators, Guest, and Users groups from the Allow Log On Locally policy on the computer and adds in the user accounts you specify in the profile. I tried to go into the Local Security Policy and re-add those local groups, but it doesn’t find them. Once I remove this profile from the computer, I am unable to login with any user and my only option is autopilot reset.

  10. Nice Post. I tried it with our environment and confirmed this works. However, I am getting the error 0x87d1fde8 even if I use the CDATA or not. Hopefully, you can help me how to resolve the reporting error. Thank you.

  11. Hi

    Do you know if this works on Windows Holographic ?
    I’ve tried but have no success at all, the policy doesn’t seem to be affected to the device on Intune..

  12. Your method leaves out assignments.
    We have 400 laptops and want to limit the logins to ONLY the primary user.

    So this method suggests we need 400 profiles and 400 groups containing one laptop each.

    Wow! MS really need to provide a proper solution.

  13. Hi Peter,

    Thank you for this; it really helped me. But the question is, how do we reverse this? E.g., we only allow user1@aad.com to log in and block everyone else, let’s say user2@aad.com; how do we revert this to allow user2@aad.com to log in again after being blocked by this?

  14. Hello Peter. Can this be applied to a group as well? Meaning, allow local account to login and anybody in group “CloudAdmins” and restrict anyone else from logging in?
    Also, can the message “The sign-in method you’re using….” be customized to say something different?

    • I also need a way to apply this to a specific group, rather than each machine and individual user. I have 61 machines that I need to restrict login to with any account other than the ones in a specific group, and don’t want to go through and create a configuration profile for each one

Leave a Reply

Your email address will not be published.


*