This is Part 2 of How to Restrict the Login to Dedicated Users with Microsoft Intune. Where Part 1 covered the standard CSP-based approach, Part 2 walks through the more advanced configurations — including dynamic group filtering, Conditional Access integration, and the gotchas you only discover after rolling out to a thousand devices.
Hello everyone, after several months of inactivity I would like to post regularly new content here on my blog. I start here with a topic which I have already blogged last year. This post is about how to restrict who can log on to Windows via Intune. Intune has a cool new feature that allows you to manage the members of local groups. In how to restrict the login to dedicated users with intune I did this restriction with a configuration profile and put a Microsoft Entra ID user into the local group via a custom profile and an OMA-URI. Now Microsoft has added a new CSP that allows you to do this in a much more elegant way. How to use this I explain now in this blog post.
Create Account Protection Policy
- Open the Intune admin center
- Click Endpoint security -> Account protection
- Click + Create Policy
- Select Windows 10 and later as Platform and Local user group membership as Profile
- Click Create
- Enter a Name and click Next.
- Select the local group you want to manage.
- Select the Action you want to do:
- Add (Update): Adds the user/s or group/s to the group and keep the current group memberships.
- Remove (Update): Removes the user/s or group/s of the group and keep the current group membership.
- Add (Replace): Replaces the current group membership with the user/s or group/s you selected.
- Select the User/s or the Group/s.
- Click Next.
| If you want to regulate that only a certain user can log on to the PC you have to select the following settings: – Local Group: Users – Group and user action: Add (Replace) – User selection type: Users/Groups – Selected users/group: Select the user or group you want to add |
 |
- Assign the policy.
- Click Next and again Next in the scope Tags section.
- Click Create
This way is much easier and more elegant than the way I used last year. If you need more info on this topic, you can also find it in MS tech community. Hope this blog post helps you answer the question how you can manage local groups with the help of Intune.
Stay healthy, Cheers
Jannik