Restrict users from local accounts on Intune devices?

Question

Devices are enrolled either via Autopilot or Azure AD Join in Intune, but the issue of people using local accounts remains. Do you know, is there a way to force Azure/Hybrid AD accounts and collect report on which local users are actively in use on PCs?

I believe maybe there is a policy to restrict local accounts on Windows 10+ which I couldn't find.

Answer 1

Group Policy
If you are still hybrid or using co-management, you can use a Group Policy Object (GPO) to specify who can log on locally to the computer. The setting is in Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment.

The default settings include 'Users'. One option would be to remove 'Users' from this security setting and replace it with 'Domain Users'.

Intune/MEM
If you are fully Azure AD Joined and only using Intune/Mem to manage all device configuration, you can still configure this setting with a policy. At a high level, the approach is to:

1. Create a new configuration profile or edit a relevant existing one
2. Add a new configuration setting
3. Browse the settings picker and choose the 'User Rights' category
4. Select the 'Allow Local Log On' setting and add only the groups that you want to allow.

Note that with this approach, you'll want to test very carefully before deploying to production. This policy could have unintended effects and some can also affect Autopilot -- although I didn't see this exact setting listed regarding Autopilot conflicts.

Answer 2

I got an answer from Microsoft, with MEM only solution restricting all local accounts:

Another workaround could be the creation of a custom profile with:

OMA-URI : ./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLocalLogOn Data Type : String Value :

This should restrict log on from any user that belongs to the LOCAL_ACCOUNT group.

Be very careful here because with the VALUE and the SID. Please check this article for all the SIDs