Tech Community Live: Microsoft Intune
Oct 01 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Conflict status after having 2 Local user group membership Policy

Copper Contributor

Hello, 

I have an issue with applying two "Local User Group Membership" policies on a PC. The Intune policy report shows a conflict between having two  "Local User Group Membership" policies despite having different configurations. For example, one is a Global Policy, which applies an admin privilege to all PCs, and the other one is more specific to a certain group, and it is just about giving remote access to the PCs on this group. So, my question is, why does Intune mark these two policies as a conflict of each other? If it is not possible to have two "Local User Group Membership" policies applying to the PC. Is there a way to have a global policy for admin users on the PC and one more private policy for remote user access using "Local User Group Membership"?

10 Replies
I have the same issue using OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsers
The OMA-URI is conflicting since it is already used once by another policy. It seems like the suggestion is to create one policy and then using AD/Entra groups to deal with the access rights. I was looking for another solution since I did not feel like applying a small needs group for all devices.

I haven't tested this but i think the config would need to look something like this:
<GroupConfiguration>
<accessgroup desc = "Local User group 1">
<group action = "U"/>
<add member = "Domain\Group1"/>
</accessgroup>
<accessgroup desc = "Local User group 2">
<group action = "U"/>
<add member = "Domain\Group2"/>
</accessgroup>
</GroupConfiguration>
Hi Antony,

I have to understand it correctly.
You have two separate policies created in Intune, that are conflicting?

Can we see the configuration of the policies?
I'm not OP but I have the same issue;
I have two policies, one to set the Local Administrators and the other one to set the local Remote Desktop Users. Both are set to "Add (Update)". But none of the both policies apply to the devices they are targeted to but instead report they are in conflict. The both policies do not target the same local group and both are set to Add/Update (not replace). Any hint why they are conflicting?
I assume it's targeted to the same set of devices? 🙂
Absolutely; but I'd assume this should work as long as the rules do not include "replace" for the same local groups?
If targeting the same devices with multiple policies does not work, this would render this feature useless for us.
Example:
We have one policy to add our global admin's administrative users to all devices and a second policy to add other user's administrative accounts to a subset of devices. As both policies target the same devices (well, at least a subset), they would report as conflicting and therefore not work at all.
Interesting, I haven't experienced this before, so I am curious 🙂
Have you created two separate policies, or are they in the policy within account protection?

I will try to see, if I can produce the same error.
We have two separate account protection policies 🙂
Hi @RobinWulz,

Sorry for the late response. 🙂
I have tested it myself with two separate policies, and I get a conflict as well.

I've been looking in the docs, and from what I can read in the "caution" box, this scenario will cause a conflict with the policies. I can be wrong, but that's how I understand it. 🙂

https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy#con...

@NicklasOlsen 

Well, the caution box is about a combination of replace and update rules which, according to the box, are not considered a conflict. The second sentence just explains the first one; you may have multiple policies assigned and they are not considered as conflicting if one updates the e.g. Administrators group and the second rule then replaces the Administrators group. 

Solely from this documentation, it says the exact opposite of what we are experiencing. Would be nice to know if this is a bug or actually expected behavior, confirmed by MS itself 🙂 

Hi @RobinWulz,

I've been a little bit curious about this issue, and I tried to deploy two separate policies again with two different actions (update/replace). This will also cause a conflict, in my case.

Lastly, I have tried to combine the policies with the same action (update/update) into one policy that works without problems. If I were you, I would probably reach out to Intune support team on Twitter to get an answer from MS. 🙂