How to restrict the login to dedicated users with intune

In the Active directory it was possible to allow a user to log in only to certain computers. This is no longer so easy with Azure AD and Intune. In this blog we would like to look at how you can realize this with the help of a custom profile.

Creating the Custom Profile for the login restriction

  • Open the MEM Portal
  • Navigate to Devices -> Configuration Profile
  • Click + Create profile
  • Select Windows 10 and later as Platform
  • Select Template -> Custom as Profile type
  • Click Create
  • Enter a Name and click Next
  • Click Add
  • Enter the following informations:
  • Name: LocalLoginRestriction
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
  • Data Type: String
  • Value:

As Value you have to specify the account you want to use. It is also possible to specify multiple accounts, but you must use the following tag to separate them:

& #xF000;    (Without Space between & and #)

But you can’t use the tag just like that. This must be converted via an XML decoder. There are tools for this on the internet or you can copy the ascii key from her:

Here are a few examples that you can specify as value:

Allow login only for local accounts:

<![CDATA[*S-1-5-113]]>

All users who have already logged on locally:

<![CDATA[*S-1-2-0]]>

Add the Administrators group and an Azure AD User

AdministratorsAzureAD\user@tenant.com
  • Click Save
  • Click Next
  • Assign the Policy to a group
  • Click Next
  • Click Next
  • Click Create

LSo now let’s test this out. I am trying to log in with a user that is not allowed.

This is how the screen looks like when a user tries to log in who is not in the list.

Conclusion

Restricting the login may be required for special use cases. Unfortunately, this is currently only possible with local and azure ad users or local groups. Central management via an Azure AD group is not possible as of today. A blog with a possible workaround will follow soon

Stay healthy, Cheers
Jannik

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s