Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain in-demand skills with online sessions designed to meet the industry’s challenges head-on at Microsoft Ignite.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Use Intune endpoint security policies for account protection to protect the identity and accounts of your users and manage the built-in group memberships on devices.
Important
In July 2024, the following Intune profiles for identity protection and account protection were deprecated and replaced by a new consolidated profile named Account protection. This newer profile is found in the account protection policy node of endpoint security, and is the only profile template that remains available to create new policy instances for identity and account protection. The settings from this new profile are also available through the settings catalog.
Any instances of the following older profiles that you have created remain available to use and edit:
Find the endpoint security policies for Account protection under Manage in the Endpoint security node of the Microsoft Intune admin center.
For guidance on assigning the right level of permissions and rights to manage Intune account protection profiles, see Assign-role-based-access-controls-for-endpoint-security-policy.
Platform:
Profiles:
Account protection – Settings for account protection policies help you to protect user credentials. The account protection policy focuses on device-scoped and user-scoped settings for Windows Hello for Business, and on Credential Guard. Credential Guard is part of Windows identity and access management.
To learn more, see Identity and access management in the Windows identity and access management documentation.
The settings in this profile are also available in the Settings catalog.
Local admin password solution (Windows LAPS) - Use this profile to configure Windows LAPS on devices. Windows LAPS allows for the management of a single local administrator account per device. Intune policy can specify which local admin account it applies to by use of the policy setting Administrator Account Name.
For more information in using Intune to manage Windows LAPS, see:
Local user group membership – Use this profile to add, remove, or replace members of the built-in local groups on Windows devices. For example, the Administrators local group has broad rights. You can use this policy to edit the Admin group's membership to lock it down to a set of exclusively defined members.
Use of this profile is detailed in the following section, Manage local groups on Windows devices.
Use the Local user group membership profile to manage the users that are members of the built-in local groups on devices that run Windows 10 20H2 and later, and Windows 11 devices.
Tip
To learn more about support for managing administrator privileges using Microsoft Entra groups, see Manage administrator privileges using Microsoft Entra groups in the Microsoft Entra documentation.
This profile manages the local group membership on devices through Policy CSP - LocalUsersAndGroups. The CSP documentation includes more details on how configurations apply, and an FAQ about the use of the CSP.
When you configure this profile, on the Configuration settings page you can create multiple rules to manage which built-in local groups you want to change, the group action to take, and the method to select the users.
The following are the configurations you can make:
Note
The list of local groups is limited to the six built-in local groups which are guaranteed to be evaluated at logon, as referenced in the How to manage the local administrators group on Microsoft Entra joined devices documentation.
Group and user action: Configure the action to apply to the selected groups. This action applies to the users you select for this same action and grouping of local accounts. Actions you can select include:
Caution
If the same group is configured with both a Replace and Update action, the Replace action wins. This is not considered a conflict. Such a configuration can occur when you deploy multiple policies to the same device, or when this CSP is also configured by use of Microsoft Graph.
User selection type: Choose how to select users. Options include:
Selected user(s): Depending on your selection for User selection type, use one of the following options:
Select user(s): Select the users and user groups from Microsoft Entra.
Add user(s): This option opens the Add users pane where you can then specify one or more user identifiers as they appear on a device. You can specify the user by security identifier (SID), Domain\username, or by Username.
Choosing the Manual option can be helpful in scenarios where you want to manage your on-premises Active Directory users from Active Directory to a local group for a Microsoft Entra hybrid joined device. The supported formats of identifying the user selection in order of most to least preferred is through the SID, domain\username, or member’s username. Values from Active Directory must be used for hybrid joined devices, while values from Microsoft Entra ID must be used for Microsoft Entra join. Microsoft Entra group SIDs can be obtained using Graph API for Groups.
If policies create a conflict for a group membership, the conflicting settings from each policy aren't sent to the device. Instead, the conflict is reported for those policies in the Microsoft Intune admin center. To resolve the conflict, reconfigure one or more policies.
As devices check in and apply the policy, the admin center displays the status of the devices and users as successful or in error.
Because the policy can contain multiple rules, consider the following points:
Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain in-demand skills with online sessions designed to meet the industry’s challenges head-on at Microsoft Ignite.
Register nowTraining
Module
Understand Conditional Access policies using Microsoft Intune - Training
In this module, you'll learn about policy and security management using Microsoft Intune.
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.