Anmeldezeiten für Mitarbeiter

Copper Contributor

Hallo zusammen,

 

gibt es in der Endpoint-Verwaltung die Möglichkeit, dass sich Mitarbeiter z.B. nur zwischen 8:00 Uhr bis 19:00 Uhr am PC anmelden können? Danach sollen sie automaisch abgemeldet werden.

 

On-Prem wären das die Anmeldezeiten. Bei Intune / Endpoint hab ich es leider nicht gefunden.

 

Gruß

robse

6 Replies
Hello Robse030,

I think that the thing you are referring to is called Logon Hours which you can set via GPO. This however is only Active Directory Domain Services feature and is not applicable to cloud only environment.

If you are in hybrid environment, you can change your authentication method to passthrough authentication and pass all logon requests to Active Directory, which would respect your chosen Logon Hours.

Please let me know, if that's what you were talking about. 🙂

Have a nice rest of the day.
Martin Strnad
Hi Martin, thank you for the reply. That's right, I mean Logon Hours. Unfortanaly, it's not a hybrid enviroment. Is there another Option?

regards,
robert
Hello again,
as stated in this article, it is only a setting you can force via on-premises Active Directory.

https://techcommunity.microsoft.com/t5/microsoft-teams/restricting-access-to-office-365-microsoft-te...

Even Microsoft says that in order to force Logon Hours, you have to use Passthrough Authentication or ADFS.
https://www.youtube.com/watch?v=YtW2cmVqSEw go to 8:00 in the video.

Have a nice rest of the day.
Martin Strnad

Hi Martin,

 

thank you for the information. Than i have to find another solution. 😞

 

Regards,

Robert

hi @Robse030 ,

 

what you can try as a solution (not officially supported by Microsoft) is to disable the computer object in azure ad . So the users are not allowed to logon anymore.

 

you can create a logic app which disable and enable all your computer object at a specific time. 

I don’t know if this is working but maybe it is a solution.

 

kind regards,

 

rene 

@Mr_Helaas very creative! You've pointed me into another (perhaps not supported) direction. I'm wondering if "Deny Local Log On" could work in this scenario.

 

@Robse030 you'll have to test this in your dev tenant: 

  • Create a Device configuration profile > Setting catalog
  • search for "Deny local Log On"
  • add Users
  • assign this policy to a test device  

2022-05-10_14h30_03.jpg

This would effectively block all (standard) users from login-on to your Windows device locally.

As with @Mr_Helaas solution, you'll also need to have another policy that removes Users from "Deny Local Log On" and automate this process. 

 

Have a look at Policy CSP - UserRights - Windows Client Management | Microsoft Docs

 

That being said, I'm not sure if I'm crossing the line here with (sort of) unsupported solutions... but I tricked myself into thinking outside the box...