Intune Device Configuration to Deny Local Log On by a local admin user.

John Park 21 Reputation points


Glad to be here, and hoping someone can help me out. I've created a custom device configuration policy that should restrict a specific local admin user from logging into the windows 10 laptop. My configuration settings are as follows:

Name: Restrict Local Admin Login

Description: Not configured

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLocalLogOn

Data type: String

Value: <![CDATA[.\aLocalAdminUser]]>

After applying the policy to my test device, I see that my user above doesn't get added to the 'Deny log on locally' properties on the device's local security policy.

Is my syntax or data type being used not correct?

I'm at a loss now, so any help is greatly appreciated.


Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,768 questions
0 comments No comments
{count} votes

Accepted answer
  1. Nick Hogarth 3,436 Reputation points

    Have you read this blog post? It looks like the same error.

    Also you can configure this in the Settings Catalog:

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful