I try using or firsname.lastname and either way it reports invalid creds. The creds are the exact same ones I used to login to join the machine to AAD. Logoff and log back in as one of your Azure Domain users. After PC restarts, connect device back to Azure Domain. With that user account 'disconnect' the device from your Azure Domain. Once logged into the desktop, create another temporary user account. To deploy the policy setting to a Intune managed device, we need to use a Custom Configuration profile. Every attempt to login says Invalid username or password. Using a recovery USB stick, enable the local admin account using a regedit. ![]() ![]() To achieve the required restrictions, we use the CSP policy AllowLocalLogon. After that you will see a whole list of options you can configure, the one were looking for is: Configure device options. Configure the Custom Configuration profile Here I restricted the logon rights to only local accounts by using CSP policy AllowLocalLogon (User Right to Sign In Locally).Īfter some testing I was able to add multiple Azure AD account to the AllowLocalLogon setting, which prohibits other users from logging on into the Windows device. I was successful in removing Authenticated Users and adding the AAD users, but other users where still able to sign-in to the device.Īt that moment I realized, I already used such a solution for a Windows 10 kiosk device, which is described here. If it fails due to an MFA requirement then the exception must be made. ![]() My first thought was to remove Authenticated Users from the build-in Users group with the Configuration Service Provider (CSP) policy ConfigureGroupMembership and add the Azure AD users which are allowed to sign-in to the device to the Users group. You can confirm by checking the sign-in logs in Azure AD. Intune or Azure Active Directory don`t provide an out-of-the-box solution for this, but with a custom Intune profile we can do the job. ![]() Today a short article in which I show how we can restrict which users can logon into a Azure AD joined Windows 10 device with Microsoft Intune.
0 Comments
Leave a Reply. |