Share via

Troubleshooting Account protection policy

Mountain Pond 1,616 Reputation points
2026-02-24T23:32:18.1033333+00:00

Hello, community.

I have an Account Protection policy for managing a local administrator group.

The policy removes all members of the local administrator group, with the exception of the built-in and EntraID groups.

The policy applies to all devices filtered by Intune with the "included" filter (two pilot devices).

The policy was applied to two pilot users. The customer then asked me to remove the policy for them.

I canceled the policy, logged into the device, and added the user back to the local group.

Then I assigned the policy to a different list of users (group).

The problem is that after 24 hours, this policy is still applied to a device where it should no longer apply.

After adding a user to the local administrator group, the user logs in as an administrator and later discovers that they are no longer in the local administrator group. Something is happening after logging in, during work. I synced, and there were no sync errors.

I had to write a workaround script that adds a user to a group from the system account.

I need to figure out the cause because I don't want to have the same problem with other devices.

I understand that there's most likely some script in the backend that cached this policy and continues to execute it. However, I need to somehow clear this task.

Please help me figure this out.

Thank you.

Microsoft Security | Intune | Security

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-24T23:32:35.5466667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It sounds like you're experiencing issues with the application of the Account Protection policy in Intune, particularly with the local administrator group management. Here are some steps and considerations that might help you troubleshoot the situation:

    1. Policy Caching: Intune policies can sometimes take time to propagate or may have caching mechanisms that retain previous settings. Ensure that the policy has been fully removed from the device by checking the Intune management console for the policy status.
    2. Device Sync: Even though you mentioned syncing without errors, consider forcing a manual sync from the device to Intune to ensure that all policies are up to date. You can do this through the Company Portal app or by using the command line.
    3. Policy Conflicts: Check if there are any other conflicting policies that might be reapplying the local administrator settings. If multiple policies target the same group or user, the most restrictive policy may take precedence.
    4. Review Logs: Investigate the logs on the device for any indications of policy application or errors. You can use the Event Viewer to look for logs related to Intune or policy application.
    5. User Group Membership: Ensure that the user is not part of any other group that might have conflicting permissions or policies applied. Sometimes, group memberships can override individual settings.
    6. Reassigning Policies: After removing the policy, wait a sufficient amount of time before reassigning it to a different group. This can help avoid any residual effects from the previous policy application.
    7. Contact Support: If the issue persists, consider reaching out to Microsoft Support for assistance. They may have additional tools or insights into the backend processes that could help resolve the issue.

    By following these steps, you should be able to identify the cause of the issue and prevent it from occurring with other devices in the future.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.