Create an Intune Device Profile for User Login Restriction

Benoit LecoursSCCM4 Comments

5
(2)

I was asked to restrict domain user access on a Windows 10 device managed by Intune. The computer was configured as a Single-App Kiosk mode so we needed to prevent a user to use CTRL-ALT-DEL and log on the computer using his domain credentials.

After searching through the Intune Device restrictions available for Windows 10, I couldn’t find any UI settings for that. I had to use a Custom Profile type for that. (Custom Profiles are also called OMA-URI Settings) This blog post will describe how to Create an Intune Device Profile Restriction User Login to restrict login rights

This post assumes that you have a valid Intune subscription and that your Windows 10 device is Intune Managed.

Intune Device Profile User Login Restriction
  • Then click Create Profile at the top
Intune Device Profile User Login Restriction
  • Platform: Windows 10 and later
  • Profile: Custom
  • Click Create at the bottom
Intune Device Profile User Login Restriction
  • In the Basics pane, enter a Name and Description, click Next
  • On the Configuration Settings pane, click Add
Intune Device Profile User Login Restriction
  • Enter a Name and Description for your policy
    • OMA-URI : ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
    • Data Type : String
    • Value :
<![CDATA[*S-1-5-113]]>
Intune Device Profile User Login Restriction

The challenge was to find the correct syntax of the CDATA value. The documentation is stating to use group names like “Administrator” or “Remote Desktop Users” but our testing revealed that is was not working in non-English Operating systems. As mentioned in the comment section of the article we decided to try using the account SID. Reading through the documentation we selected the S-1-5-113 (LOCAL_ACCOUNT). This ensure that only local accounts can log to the machine, preventing our domain user to use their account.

We also decide to add another setting to make sure that the MDM Policy wins over Group policy. Since Windows 1803 there’s a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP. This ensures that the Intune policy wins if there’s a group policy with the same settings.

  • To add the second settings, on the Custom OMA-URI Settings pane on the right, click Add
  • Enter a Name and Description for your policy
    • OMA-URI : ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
    • Data Type : Integer
    • Value : 1
Intune Device Profile User Login Restriction
  • Click Ok then Save
  • Click on Next
Intune Device Profile User Login Restriction
  • On the Scope tab, assign a Scope if needed, click Next
  • On the Assignments tab, assign your profile to a test device or test group
Intune Device Profile User Login Restriction
  • In the Applicability Rules tab, assign a rule if needed. Click Next
Intune Device Profile User Login Restriction
  • Review your Configuration Profile and click Create
Intune Device Profile User Login Restriction

Intune Device Profile User Login Restriction Monitoring

To monitor the deployment of your Intune Profile :

  • Click Device Status at the bottom of the Profile you just created
Intune Device Profile User Login Restriction
  • The machine(s) that received the profile will be listed, click on it.
  • The Device overview pane will open, click on Device Configuration and click your policy on the right
  • You can see the deployment status and the last status update, you can click on it to have more information

On the Device, when trying to log using a domain account, the users receive the following notification :

Intune Device Profile User Login Restriction

Share this Post

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 2

No votes so far! Be the first to rate this post.

4 Comments on “Create an Intune Device Profile for User Login Restriction”

  1. HELP!
    I get a blue screen with an error stating my user doesn’t exist.
    I think it is trying to login every 30 seconds, and I believe everything is working. Just no user to login.

  2. Very interesting post. In a school ecosystem, it would be particularly interesting to restrict access to certain devices to a certain security group (teachers/students). Do you have an idea how to proceed to achieve this? Thank you very much!

Leave a Reply