I was asked to restrict domain user access on a Windows 10 device managed by Intune. The computer was configured as a Single-App Kiosk mode so we needed to prevent a user to use CTRL-ALT-DEL and log on the computer using his domain credentials.
After searching through the Intune Device restrictions available for Windows 10, I couldn’t find any UI settings for that. I had to use a Custom Profile type for that. (Custom Profiles are also called OMA-URI Settings) This blog post will describe how to Create an Intune Device Profile Restriction User Login to restrict login rights
This post assumes that you have a valid Intune subscription and that your Windows 10 device is Intune Managed.
- Open the Intune Console
- Go to Device Configuration
- Click on Profiles then Create Profile
- Enter a Name, Description
- Platform : Windows 10 and later
- Profile Type : Custom
- Click the Settings / Configure button
- On the Custom OMA-URI Settings pane on the right, click Add
- Enter a Name and Description for your policy
- OMA-URI : ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
- Data Type : String
- Value :
<![CDATA[*S-1-5-113]]>
The challenge was to find the correct syntax of the CDATA value. The documentation is stating to use group names like “Administrator” or “Remote Desktop Users” but our testing revealed that is was not working in non-English Operating systems. As mentioned in the comment section of the article we decided to try using the account SID. Reading through the documentation we selected the S-1-5-113 (LOCAL_ACCOUNT). This ensure that only local accounts can log to the machine, preventing our domain user to use their account.
We also decide to add another setting to make sure that the MDM Policy wins over Group policy. Since Windows 1803 there’s a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP. This ensures that the Intune policy wins if there’s a group policy with the same settings.
- To add the second settings, on the Custom OMA-URI Settings pane on the right, click Add
- Enter a Name and Description for your policy
- OMA-URI : ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
- Data Type : Integer
- Value : 1
- Click Ok then Save
- Still in the Profile you created, click on Assignments
- Assign your profile to a test device or test group
Intune Device Profile User Login Restriction Monitoring
To monitor the deployment of your Intune Profile :
- Click Device Status at the bottom of the Profile you just created
- The machine(s) that received the profile will be listed, click on it.
- The Device overview pane will open, click on Device Configuration and click your policy on the right
- You can see the deployment status and the last status update, you can click on it to have more information
On the Device, when trying to log using a domain account, the users receive the following notification :
Share this Post
The post Create an Intune Device Profile for User Login Restriction appeared first on System Center Dudes.