![]() ![]() a User who plugs in a mouse to escalate privileges to a Windows 10 Administrator. To deploy the policy setting to a Intune managed device, we need to use a Custom Configuration profile. Privileged accounts are distinguished from standard User accounts that. To achieve the required restrictions, we use the CSP policy AllowLocalLogon. Configure the Custom Configuration profile Folder A is in Drive D and Folder A is assigned for the user so that the user. The user shouldn’t be able to view installed applications. Here I restricted the logon rights to only local accounts by using CSP policy AllowLocalLogon (User Right to Sign In Locally).Īfter some testing I was able to add multiple Azure AD account to the AllowLocalLogon setting, which prohibits other users from logging on into the Windows device. How to configure restrictions on a user account in Windows 10 The user shouldn’t be able to install and uninstall an application. On the right side panel, double click Prohibit access to Control Panel and PC settings. On the left side, click to open Administrative templates under the User Configuration section. Reference This policy setting determines how network logons that use local accounts are authenticated. Choose Enabled, then set the action to Lock or Logoff, depending on your needs. ![]() Select standard (to limit accessibility to certain features and. First, press the Windows key and then type Group policy click on Edit group policy when it appears. Windows 10 Describes the best practices, location, values, policy management and security considerations for the Network access: Sharing and security model for local accounts security policy setting. Under User Configuration -> Administrative Templates -> Windows Components -> Windows Logon Options, click on Set Action to take when logon hours expire. I was successful in removing Authenticated Users and adding the AAD users, but other users where still able to sign-in to the device.Īt that moment I realized, I already used such a solution for a Windows 10 kiosk device, which is described here. Once in the account settings for the selected user, select Change the account type. My first thought was to remove Authenticated Users from the build-in Users group with the Configuration Service Provider (CSP) policy ConfigureGroupMembership and add the Azure AD users which are allowed to sign-in to the device to the Users group. Intune or Azure Active Directory don`t provide an out-of-the-box solution for this, but with a custom Intune profile we can do the job. In Windows 10 Pro or Enterprise, open the Start Menu and search for Computer Management. Today a short article in which I show how we can restrict which users can logon into a Azure AD joined Windows 10 device with Microsoft Intune. ![]()
0 Comments
Leave a Reply. |