Restricting local logon access on Windows devices

In today’s rapidly evolving digital landscape, security is a paramount concern for organizations. Ensuring that only authorized individuals can access specific resources is a fundamental aspect of safeguarding sensitive data and maintaining the integrity of IT environments. In this blog post, we will explore how to use Microsoft Intune to implement a crucial security measure – restricting who can logon to Windows devices using the „Allow Local Log On“ user rights assignment. This powerful feature allows organizations to finely control access to their Windows devices, enabling scenarios like granting access exclusively to developers on dedicated client machines.

What is „Allow Local Log On“ and why Is It Important?

The „Allow Local Log On“ user right is a critical component of access control on Windows devices. By configuring this setting, organizations can specify which users or groups are permitted to log on locally to a given Windows device.

This level of granularity is essential for several reasons:

Enhanced Security: Limiting local logon access ensures that only authorized personnel can physically access a device. This is especially crucial for devices containing sensitive information or used for specialized purposes like development.

Compliance Requirements: Many industries and organizations have strict compliance requirements that demand strict access controls. Implementing „Allow Local Log On“ helps in meeting these regulatory obligations.

Resource Segmentation: In scenarios where different groups within an organization use shared devices, this feature enables resource segmentation. For example, developers can be granted local logon access only to their designated machines.

How to Configure „Allow Local Log On“ via Microsoft Intune?

Now, let’s walk through the steps to create a configuration profile using Microsoft Intune to restrict local logon access on Windows devices:

Start by creating a new configuration profile from the settings catalog for Windows devices. Give it a name and a description. then click on „+ Add settings“ and search for „User Rights“. In the list you will see the „Allow Local Log On“ option – please enable this one:

Now you need to define who can logon. I am starting with the local Administrators group because I have WindowsLAPS in my environment and want to be able to login with the users from this local group. Also I want to enable a User from my Entra ID tenant to logon locally but no other user. So I add my Entra ID user with a prefix of „AzureAD\“ followed by the UPN of this account. Assign the policy to your device group and sync the devices or wait for the next sync schedule.

Once you try to logon with any user that in my example is not member of the local administrators group or the defined user from my Entra ID tenant you will see that Windows blocks the login:

If you need to check those blocked events, have an eye on ID 4625 in the Windows Event Viewer.

Also it is important to know that this ONLY blocks local logons. If any other user tries to login remotely this will not be blocked with this policy. This example is a whitelist scenario – if needed you also can use a blacklist where you only block specific users to logon locally with this setting from the „User Rights“:

Conclusion

In conclusion, the „Allow Local Log On“ user right assignment in Microsoft Intune is a powerful tool for enhancing security and access control on Windows devices. Organizations can leverage this feature to restrict access to specific devices, ensuring that only authorized users or groups can log on locally. Whether it’s safeguarding sensitive data, meeting compliance requirements, or segmenting resources, „Allow Local Log On“ provides the flexibility and control needed to secure your IT environment effectively. By following the steps outlined in this blog post, you can implement this security measure and contribute to a more robust and resilient modern work solution with Microsoft Cloud Tools.