Restrict which users can logon into a Windows 10 device with Microsoft Intune

Today a short article in which I show how we can restrict which users can logon into a Azure AD joined Windows 10 device with Microsoft Intune.

Intune or Azure Active Directory don`t provide an out-of-the-box solution for this, but with a custom Intune profile we can do the job.

My first thought was to remove Authenticated Users from the build-in Users group with the Configuration Service Provider (CSP) policy ConfigureGroupMembership and add the Azure AD users which are allowed to sign-in to the device to the Users group.
I was successful in removing Authenticated Users and adding the AAD users, but other users where still able to sign-in to the device.

At that moment I realized, I already used such a solution for a Windows 10 kiosk device, which is described here. Here I restricted the logon rights to only local accounts by using CSP policy AllowLocalLogon (User Right to Sign In Locally).

After some testing I was able to add multiple Azure AD account to the AllowLocalLogon setting, which prohibits other users from logging on into the Windows device.

Configure the Custom Configuration profile

To achieve the required restrictions, we use the CSP policy AllowLocalLogon. To deploy the policy setting to a Intune managed device, we need to use a Custom Configuration profile.

  • Choose Windows 10 and later as Platform
  • Choose Custom as Profile type
  • Click Create
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Click the Settings tab
  • Click Add

Information needed to create the OMA-URI and additional information can be found on Microsoft Docs here.
In the value field, we need to enter the accounts which we allow to sign-in to the device. Where the documentation describes the CDATA tag <![CDATA[…]]> needs to be used, this gives an error in the Intune portal (even though the policy is applied with success). You can just add the account in the value field.
When you add multiple accounts, the accounts should be separated with &#xF000; when using the CDATA tag. When we don`t use the CDATA tag, we need to convert &#xF000; via for example this tool. The outcome (square box), can be used as a separator.

Enter below information to the policy;
Name: UserRights – AllowLocalLogOn
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
Data Type: String

Click OK (twice) and click Create.

Assign the profile to a security group and your ready for testing.

End-user experience

As soon as the policy is applied to the device, we can see in the MDMDiagnostics log the settings are successfully applied.

And when a user tries to sign in to the Windows 10 device, which is not granted the User Right to Sign In Locally (AllowLocalLogOn), he is prohibited and receives this error message.
The sign-in method you`re trying to use isn`t allowed. For more info, contact your network administrator.

That`s it for this post, thank you for reading!

If you`d like to read how we can create a local user account with Intune, read this post.

Thanks to Mark Thomas for the workaround mentioned on Twitter.


  1. I like your method – I was wondering if this could be reversed. If I wanted to restrict a group from logging into certain computers?
    I have a group of shared temp accounts, I want them to only be able to sign into certain computers. So maybe a domain wide config that “excludes” this particular group of users?? Is that possible?

  2. Hi Peter,
    I followed your guidelines but I am unable to access with any user .
    our local admin is being renamed to something else and I replace the line Administrator to admin-temp but I cannot login with it .
    What I am missing ?

    • Hi Guy,

      I wouldn`t remove the administrators group from the setting. As your admin-temp is member of that, he should be able to logon to the device.
      If that works fine, add an user (or group) next to the administrators group and try to logon. If it doesn`t work, you`re at least able to sign-in with an administrator account and able to review the event logs.

  3. I want to do a 1 to 1 configuration, that is, assign only one user to a laptop, I have 10 users and 10 laptops. I have to create a personalized profile for each user?

  4. Hi, thanks for your response.

    that how can I do it ??? I think it can be with OMA-URI AllowLocalLogOn but I am not very clear how to do it. You can help?

  5. Is there any option to perform this for an AzureAD group? Nesting does not work and I have a situation where 300 users are allowed to logon and all others not.
    The idea to add the primary user would be a perfect solution. Perhaps with an Powershell that runs on first logon?

  6. Since using this, The kioskuser0 account is not permitted login and the kiosk configuration doesn’t work. Please can you advise what needs to be added to allow that user to login? I’ve tried .\kioskuser0 but then i receive an error message in the oma-uri policy application.

  7. Hi Peter
    Is it mandatory to add the AAD prefix before the user to have it working?

  8. Hello Peter,

    I have problems with the mentioned decoding. It does not recognize the  that I set in between the characters. Any idea how to fix this separator issue? I tried it in Chrome and in Edge to make sure it has nothing to do with how the Browser recognizes the character.

Leave a Reply

Your email address will not be published.