Limiting users that can log into a Windows 10 machine using Intune and restricted groups

Recently I’ve had to build configurations via Intune to limit the users that could log into an AAD only joined machine.

AAD itself does not provide controls around limiting user login into specific machines hence I had to apply controls via Intune.

Windows 10 Users local group allows NT Authority\Authenticated Users to log into the machine which is every Azure AD user

image858×796 182 KB

I’ve had to make changes to this local group via Intune in order to remove NT Authority\Authenticated Users and add the list of Azure AD users that I wanted to be able to log into the machine.

This was achieved via the use of “Restricted Groups” which are documented by Microsoft here:

Restricted groups takes over the management of the local group effectively removing any members that are not specified in the policy configuration.

The configuration that I’ve used is below:

image1512×721 52.5 KB

Value:

<groupmembership>
    <accessgroup desc = "Users">
        <member name = "AzureAD\user1UPN@yourdomain.com" />
        <member name = "AzureAD\user2UPN@yourdomain.com" />
        <member name = "AzureAD\user3UPN@yourdomain.com" />
        <member name = "AzureAD\user4UPN@yourdomain.com" />
        <member name = "NT Authority\INTERACTIVE" />
    </accessgroup>
</groupmembership>|

The above configuration has removed NT AUTHORITY\Authenticated Users from the Users group and have added the specified users

image1029×1192 147 KB

Coll stuff! Would just point out, that since it’s a standard Win10 CSP - any MDM capable of deploying custmom XML will do - not just InTune. I use VMware Policy Builder with Workspace ONE UEM for that.

After deploying the above at scale I had mixed results

The best method of controlling the local login is still “Allow Local Logon” policy

This policy can be deployed via CSP as well

CPS documentation below:

Looks like in Win 10 2004 this will also start supporting AAD groups