Block Local Logon to enrolling user of an Intune Managed Device

Question

Has anyone successfully managed to deploy a security baseline template or Configuration profile or proactive remediation script that can successfully block any AAD user from being able to logon to an Intune managed device, other than the user who enrolled the device?

I have a use case of an industutrial type device where we use a secure shared logon credential who is also the enrolling user, and i want to prevent anyone with an account loggin goff the primary user account and loggingin with their own personal account.

The issue i seems to face now is the policy is not able to evaluate the AAD group where i assign the user account/accounts allowed to logon, and i subsequently end up blocking all local logons.

Thanks

bogdan_guinea · Answer

Chris Snell​&nbsp;Hi,what about to create a local group (e.g., AllowedLogonUsers), then add the specific AAD user(s) — including the shared enrollment account via PowerShell script.Then you create a CSP via Settings Catalog to reference the newly created local Group.Check this references:https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-Microsoft_Intune_Workflows#actaspartoftheoperatingsystem:~:text=User%20Rights%20Assignment-,AllowLocalLogOn,-Expand%20tablehttps://www.reddit.com/r/PowerShell/comments/piccz0/comment/hbq7wbm/?utm_source=share&amp;utm_medium=web2x&amp;context=3Good luck!&nbsp;&nbsp;

Forum Discussion

Block Local Logon to enrolling user of an Intune Managed Device

1 Reply