Hello everyone, after several months of inactivity I would like to post regularly new content here on my blog. I start here with a topic which I have already blogged last year. This post is about how to restrict who can log on to on windows via Intune. Intune has a cool new feature that allows you to manage the members of local groups. In my previous blog I did this restriction with a configuration profile and put a AAD user into the local group via a custom profile and an OMA-URI. Now Microsoft has added a new CSP that allows you to do this in an much more elegant way. How to use this I explain now in this blog post.
Create Account Protection Policy
- Open the MEM Portal
- Click Endpoint security -> Account protection
- Click + Create Policy
- Select Windows 10 and later as Platform and Local user group membership as Profile
- Click Create
- Enter a Name and click Next.
- Select the local group you want to managed.
- Select the Action you want to do:
- Add (Update): Adds the user/s or group/s to the group and keep the current group memberships.
- Remove (Update): Removes the user/s or group/s of the group and keep the current group membership.
- Add (Replace): Replaces the current group membership with the user/s or group/s you selected.
- Select the User/s or the Group/s.
- Click Next.
| If you want to regulate that only a certain user can log on to the PC you have to select the following settings: – Local Group: Users – Group and user action: Add (Replace) – User selection type: Users/Groups – Selected users/group: Select the user or group you want to add |
 |
- Assign the policy.
- Click Next and again Next in the scope Tags section.
- Click Create
This way is much easier and more elegant than the way I used last year. If you need more info on this topic, you can also find it in MS tech community. Hope this blog post support you to answer the question how you can manage local groups with the help of Intune.
Stay healthy, Cheers
Jannik
Modern Device Management 