Skip to content
  • Home
  • Blog
  • Projects
  • About & Speaking
  • Contact
  • Recommended Resources
Search
Close

Jannik Reinhard

Microsoft Intune & AI Insights

How to restrict the login to dedicated users with intune – Part 2
Intune

How to Restrict the Login to Dedicated Users with Intune – Part 2

22. May 20222. July 2026 jannikreinhard

This is Part 2 of How to Restrict the Login to Dedicated Users with Intune. If you want to restrict the login to dedicated users with Intune, Part 1 covered the standard CSP-based approach, while Part 2 walks through the more advanced configurations — including dynamic group filtering, Conditional Access integration, and the gotchas you only discover after rolling out to a thousand devices.

Hello everyone, after several months of inactivity I would like to post regularly new content here on my blog. I start here with a topic which I have already blogged last year. This post is about how to restrict the login to dedicated users with Intune so that only approved accounts can sign in to Windows. Intune has a cool new feature that allows you to manage the members of local groups.

In how to restrict the login to dedicated users with intune I did this restriction with a configuration profile and put a Microsoft Entra ID user into the local group via a custom profile and an OMA-URI. Now Microsoft has added a new CSP that allows you to do this in a much more elegant way. How to use this I explain now in this blog post.

Table of contents

  • Why You Should Restrict the Login to Dedicated Users with Intune
  • Create Account Protection Policy
  • Advanced Tips and Common Pitfalls

Why You Should Restrict the Login to Dedicated Users with Intune

Before we dive into the configuration, it is worth understanding the reasoning. In many organizations, shared and kiosk-style devices, frontline worker laptops, and high-security workstations should only be accessible to a specific set of people. The ability to restrict the login to dedicated users with Intune gives you a clean, policy-driven way to enforce this without touching Active Directory or running brittle logon scripts. Instead of relying on local accounts, you control exactly which Microsoft Entra ID users or groups end up in the local Users or Administrators group.

This approach also scales nicely. Because the policy is assigned to Intune groups, you can target thousands of devices with a single configuration, and the membership stays consistent even as people join or leave a team. When you restrict the login to dedicated users with Intune the result is a predictable, auditable security baseline that survives reboots, reimaging, and Autopilot resets.

Create Account Protection Policy

  • Open the Intune admin center
  • Click Endpoint security -> Account protection
  •  Click + Create Policy
  • Select Windows 10 and later as Platform and Local user group membership as Profile
  • Click Create
How to restrict the login to dedicated users with intune – Part 2
  • Enter a Name and click Next.
How to restrict the login to dedicated users with intune – Part 2
  • Select the local group you want to manage.
  • Select the Action you want to do:
    • Add (Update): Adds the user/s or group/s to the group and keep the current group memberships.
    • Remove (Update): Removes the user/s or group/s of the group and keep the current group membership.
    • Add (Replace): Replaces the current group membership with the user/s or group/s you selected.
  • Select the User/s or the Group/s.
  • Click Next.
How to restrict the login to dedicated users with intune – Part 2
If you want to regulate that only a certain user can log on to the PC you have to select the following settings:
– Local Group: Users
– Group and user action: Add (Replace)
– User selection type: Users/Groups
– Selected users/group: Select the user or group you want to add
How to restrict the login to dedicated users with intune – Part 2
  • Assign the policy.
  • Click Next and again Next in the scope Tags section.
How to restrict the login to dedicated users with intune – Part 2
  • Click Create
How to restrict the login to dedicated users with intune – Part 2

Advanced Tips and Common Pitfalls

A few hard-won lessons are worth sharing. First, be very careful with the Add (Replace) action on the local Administrators group. If you replace its membership and forget to keep an emergency admin account, you can lock yourself out of recovery scenarios. When you restrict the login to dedicated users with Intune on the Users group, the impact is far less destructive, so start there while you validate the behaviour.

Second, remember that the policy works with the Microsoft Entra ID security identifier (SID) of the selected users and groups. If a device is not yet fully joined and synced, the membership may not apply on the first sync cycle. Give it time, or trigger a manual sync, and confirm the result with net localgroup Users from an elevated command prompt.

Third, combine this control with Conditional Access. Restricting the local group membership stops the wrong people from logging on locally, but pairing it with Conditional Access policies adds a second layer that governs cloud sign-ins as well. Together these give you a defense-in-depth model when you restrict the login to dedicated users with Intune across your fleet.

This way is much easier and more elegant than the way I used last year. If you need more info on this topic, you can also find it in MS tech community. Hope this blog post helps you answer the question how you can manage local groups and restrict the login to dedicated users with Intune.

Stay healthy, Cheers
Jannik

Account Protection Policies, Conditional Access, Configuration Profiles, Intune, Local Group Membership, Restrict login, Windows

Post navigation

Previous Post
Remove Windows 11 Built-in Teams App with Intune
Next Post
How to backup and restore the Registry
  • LinkedIn
  • X
  • YouTube

Gold Sponsors

(Advertisement)

Admin By Request
Patch My PC App Catalog Sponsor
Recast Software Compliance Efficiency Sponsor
Buy Me A Coffee

Intune Essentials

  • What’s new in Intune 2209
  • Company Portal system tray icon update
  • Hide Task View and Widgets with Intune
  • Trusted Publishers certificate with Intune
  • Company Portal system tray icon
  • Backup and restore the Windows Registry
  • Create a Windows 11 Hyper-V VM
  • Remove built-in Teams app from Windows 11
  • Install Windows 11 without TPM
  • Deploy the web Company Portal
  • Create a desktop web shortcut with Intune
  • Enable tab groups in Microsoft Edge
  • Find the Application User Model ID
  • Duplicate device configuration profiles
Powered by WordPress.com. Theme: Nucleare by CrestaProject.
Back to top
All Articles »

Discover more from Jannik Reinhard

Subscribe now to keep reading and get access to the full archive.

Continue reading