Managing Windows Local Groups with Intune: Step-by-Step Guide for Admins

By /

Managing Windows Local Groups Using Intune

Overview

Managing local Windows groups through Microsoft Intune lets administrators control membership of built-in security groups across all devices from a central console. This helps enforce least-privilege access, prevent unauthorized accounts, and keep security consistent.

Intune uses the LocalUsersAndGroups Configuration Service Provider (CSP) over the MDM channel to add, remove, or replace members of local groups without logging into each device.

Configuration Methods

There are three main ways to set up local group management in Intune:

1. Account Protection Profile

  • Found under Endpoint Security → Account Protection → Local User Group Membership
  • Provides a built-in, user-friendly template for Windows 10/11 devices

2. Settings Catalog

  • Offers advanced, CSP-backed settings
  • Ideal for granular or custom configurations beyond the default template

3. OMA-URI (Legacy)

  • Manual XML-based policies
  • Not recommended for new deployments, due to complexity and lack of UI

Supported Local Groups

Intune policies can manage membership of these built-in Windows groups:

  • Administrators
  • Users
  • Guests
  • Power Users
  • Remote Desktop Users
  • Remote Management Users

Membership Actions

When you configure a local group policy, you choose one of three actions:

  • Add (Update): Adds selected users or groups without touching existing members.
  • Remove (Update): Removes only the specified members, leaving everyone else unchanged.
  • Add (Replace): Clears all current members and replaces them with those you specify.

Requirements and Prerequisites

  • Devices must run Windows 10 version 20H2 or later, or Windows 11.
  • Devices need to be enrolled in Intune and support MDM management.
  • You can select members either by choosing Azure AD users/groups or by manually entering SIDs or domain\username for hybrid-joined devices.

Key Considerations

  • Assign only one local group membership policy per device to avoid conflicts.
  • Changes apply during policy refresh cycles and may not be immediate.
  • In hybrid environments, use SIDs instead of display names to ensure consistency across languages.
  • You cannot remove built-in local administrator accounts; use Windows LAPS to manage those securely.

Best Practices

  • Limit local administrator access to only those who really need it and review membership regularly.
  • Implement Windows LAPS so each local admin account has a unique, rotating password stored securely.
  • Monitor and audit local group changes with compliance reports to catch unauthorized modifications.

Step-by-Step: Creating a Local Group Policy

  1. Sign in to the Microsoft Intune admin center.
  2. Go to Endpoint Security → Account Protection → Create Policy.
  3. Choose Windows 10 and later as the platform.
  4. Select Local user group membership as the profile.
  5. On the Basics tab, give the policy a name and description.
  6. Under Configuration Settings, click Add under Group Configuration.
  7. Pick the local group (for example, Administrators).
  8. Choose the action: Add, Remove, or Replace.
  9. Select how to specify members: Azure AD users/groups or manual entry (SID or domain\username).
  10. Add your chosen users or groups.
  11. Assign the policy to device groups, then review and create.

Advanced Scenarios

  • For hybrid Azure AD joined devices, manual entry with SIDs or domain\username ensures on-premises accounts apply correctly.
  • Some less common local groups aren’t supported in the standard template; use the Settings Catalog or OMA-URI for those.
  • Combine local group policies with Windows LAPS and Conditional Access for a full security framework.

Troubleshooting

  • Policy Conflicts: Check for multiple policies targeting the same device. Only one local group policy should be active.
  • Assignment Issues: Verify device enrollment, MDM support, and correct Windows version.
  • Manual Entry Errors: Ensure SIDs and domain\username formats are accurate, especially for hybrid devices.

Exam Tips

  • Know why centralizing local group management matters and its security benefits.
  • Be able to name the supported local groups and describe Add, Remove, and Replace actions.
  • Practice creating and assigning a Local User Group Membership policy in the Intune portal.
  • Understand hybrid vs. cloud-only considerations, and how to resolve policy conflicts.

Looking Ahead

Intune’s local group management continues to evolve. New features in Windows LAPS and tighter integrations with Zero Trust tools will make it easier to secure endpoints. Stay current with Intune updates to keep your devices protected.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top