Create an Intune Device Profile for User Login Restriction

Benoit LecoursSCCM1 Comment

I was asked to restrict domain user access on a Windows 10 device managed by Intune. The computer was configured as a Single-App Kiosk mode so we needed to prevent a user to use CTRL-ALT-DEL and log on the computer using his domain credentials.

After searching through the Intune Device restrictions available for Windows 10, I couldn’t find any UI settings for that. I had to use a Custom Profile type for that. (Custom Profiles are also called OMA-URI Settings) This blog post will describe how to Create an Intune Device Profile Restriction User Login to restrict login rights

This post assumes that you have a valid Intune subscription and that your Windows 10 device is Intune Managed.

  • Open the Intune Console
  • Go to Device Configuration
Intune Device Profile User Login Restriction
  • Click on Profiles then Create Profile
Intune Device Profile User Login Restriction
  • Enter a Name, Description
  • Platform : Windows 10 and later
  • Profile Type : Custom
  • Click the Settings / Configure button
Intune Device Profile User Login Restriction
  • On the Custom OMA-URI Settings pane on the right, click Add
Intune Device Profile User Login Restriction
  • Enter a Name and Description for your policy
    • OMA-URI : ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
    • Data Type : String
    • Value :
<![CDATA[*S-1-5-113]]>
Intune Device Profile User Login Restriction

The challenge was to find the correct syntax of the CDATA value. The documentation is stating to use group names like “Administrator” or “Remote Desktop Users” but our testing revealed that is was not working in non-English Operating systems. As mentioned in the comment section of the article we decided to try using the account SID. Reading through the documentation we selected the S-1-5-113 (LOCAL_ACCOUNT). This ensure that only local accounts can log to the machine, preventing our domain user to use their account.

We also decide to add another setting to make sure that the MDM Policy wins over Group policy. Since Windows 1803 there’s a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP. This ensures that the Intune policy wins if there’s a group policy with the same settings.

  • To add the second settings, on the Custom OMA-URI Settings pane on the right, click Add
  • Enter a Name and Description for your policy
    • OMA-URI : ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
    • Data Type : Integer
    • Value : 1
Intune Device Profile User Login Restriction
  • Click Ok then Save
  • Still in the Profile you created, click on Assignments
  • Assign your profile to a test device or test group
Intune Profile Restriction User Login

Intune Device Profile User Login Restriction Monitoring

To monitor the deployment of your Intune Profile :

  • Click Device Status at the bottom of the Profile you just created
Intune Device Profile User Login Restriction
  • The machine(s) that received the profile will be listed, click on it.
  • The Device overview pane will open, click on Device Configuration and click your policy on the right
  • You can see the deployment status and the last status update, you can click on it to have more information

On the Device, when trying to log using a domain account, the users receive the following notification :

Intune Device Profile User Login Restriction
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Share this Post

One Comment on “Create an Intune Device Profile for User Login Restriction”

  1. Interesting, thank you for sharing! Just for clarification; do computers have to be domain joined for this to work?

    Cheers,
    Pär

Leave a Reply

Your email address will not be published. Required fields are marked *