Intune - Local Admin Policy

Matt Dillon 1,211 Reputation points
2023-03-07T15:59:14.1766667+00:00

I am in a Hybrid Azure AD environment. I set up the Endpoint security - Account protection - Local user group membership policy in my Intune tenant to replace a GPO that would set the SCCM server and a few users and groups as members of the Administrators group. I created a security group and denied the GPO from my endpoint.

While in office or connected to VPN:

Test 1: Passed

I removed all the members of the Administrators group and did a gpupdate /force to make sure that the GPO did not repopulate. Once that happened I created the local user group membership policy and added an extra random user as a test and did a ADCONNECT sync for good measure. (I used Add (Replace) and Manual with the SID of all the entries) I then did a sync from Settings - Accounts - Access work or school - my account - Info. I refreshed the Administrators group and I was pleased to see all the accounts in the Intune policy show up, including the extra one.

Test 2: Fail

I removed the extra account in the policy and again did an ADCONNECT sync, and the sync on my device and the extra account was not removed.

Test 3: Pass

I then removed 3 of the accounts that were supposed to be in there and did the syncs again and even waited an hour. This seems to have worked. Going to remove and see if they come back again.

Questions

  1. Do I need a direct connection to the domain either via VPN or in an office for this policy to work in a Hybrid Azure AD environment?
  2. How often does the policy run? Can that be modified?
  3. While the GPO would instantly correct the members of the Administrators group, I am not seeing that with this policy. What is the expectation using this policy as my guess at this point is things happen once and that is it or they happen when the policy has accounts added, but not deleted.
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
324 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,700 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,281 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 42,306 Reputation points Microsoft Vendor
    2023-03-08T05:41:31.2833333+00:00

    @Matt Dillon, Thanks for posting in Q&A.

    For your questions, here are my answers for your reference:

    Q1: Do I need a direct connection to the domain either via VPN or in an office for this policy to work in a Hybrid Azure AD environment?

    A1: After the Hybrid Azure AD joined devices enrolled into Intune, we can get some Intune policy via Intune. Some still needs the devices in office. Based on my test, for the account protection policy we added, if we added the account synced from AD to AAD, it will fail with the following error when we are not in the office network.

    User's image

    Q2: How often does the policy run? Can that be modified?

    A2: For the policy refresh intervals, the refresh cycle can be 8 hours. We can do manual sync on the device to get the policy.

    https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#policy-refresh-intervals

    Q3: While the GPO would instantly correct the members of the Administrators group, I am not seeing that with this policy. What is the expectation using this policy as my guess at this point is things happen once and that is it or they happen when the policy has accounts added, but not deleted.

    A3: Based as I know, when remove one user from the policy, the new policy will also be applied after I do a manual sync and restart the device. You can sync and restart the device to see if it works! If not, go to DeviceManagement-Enterprise-Diagnostic-Provider event log to see if any error related.

    https://learn.microsoft.com/en-us/windows/client-management/diagnose-mdm-failures-in-windows-10#collect-logs-directly-from-windows-10-pcs

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.