Enforcing Login Blocks on Unpatched Windows PCs with Intune
When users ignore patch reminders, their PCs stay exposed. You can force unpatched machines to become unusable until they install updates by combining Intune compliance policies, Conditional Access, and PowerShell scripts. This ensures both Azure AD and local accounts are blocked from signing in.
1. Mark Devices Non-Compliant Based on Patch Level
First, create an Intune compliance policy that checks Windows update status:
- In the Intune admin center, go to Devices > Compliance policies.
- Click + Create policy > Windows 10 and later.
- Under System Security, set Required Windows minimum version to your target build (e.g., 22H2).
- Under Actions for noncompliance, choose Mark device noncompliant immediately.
- Assign the policy to your target device group.
Once applied, any PC below the specified patch level becomes non-compliant.
2. Block Azure AD Sign-Ins via Conditional Access
Next, prevent users from signing in with their Azure AD credentials when their device is non-compliant:
- In the Azure portal, navigate to Azure Active Directory > Security > Conditional Access.
- Click + New policy and name it “Block Sign-In if Non-Compliant.”
- Assignments > Users: Select the groups you want to enforce.
- Cloud apps > Include: Choose Windows sign-in (or All cloud apps).
- Conditions > Device platforms: Select Windows.
- Grant: Choose Block access.
- Under Access controls > Compliance, require the device to be marked Compliant.
- Enable the policy.
Now, any non-compliant device will be prevented from logging in with Azure AD credentials at the Windows sign-in screen.
3. Disable Local Interactive Logon with PowerShell
Conditional Access doesn’t stop local or on-prem AD logons. To block those, deploy a PowerShell script that disables all non-admin local accounts on non-compliant PCs:
powershell# Disable-LocalLogon.ps1
# Run as SYSTEM via Intune. Disables local users who are not in Administrators.
# Fetch all local users not in the Administrators group
$nonAdmins = Get-LocalUser |
Where-Object {
(-not (Get-LocalGroupMember -Group "Administrators" -Member $_.Name -ErrorAction SilentlyContinue))
}
foreach ($user in $nonAdmins) {
try {
Disable-LocalUser -Name $user.Name
} catch {
Write-Host "Error disabling $($user.Name): $_"
}
}
Deploy this script in Intune:
- In Intune > Devices > Scripts, click + Add > Windows 10 and later.
- Name it “Disable Local Logon on Non-Compliant.”
- Upload the
Disable-LocalLogon.ps1file. - Under Settings, set Run this script using the logged on credentials to No.
- Assign it to the same device group as your compliance policy.
- Configure it to run daily or at your chosen interval.
Whenever a PC is non-compliant, Intune runs this script to disable local non-admin accounts, effectively blocking any local sign-in.
4. Re-Enable Local Logon When Compliant
When devices install updates and become compliant again, you need to reverse the lockout. Use a companion script:
powershell# Enable-LocalLogon.ps1
# Run as SYSTEM via Intune. Re-enables local non-admin users.
$nonAdmins = Get-LocalUser |
Where-Object {
(-not (Get-LocalGroupMember -Group "Administrators" -Member $_.Name -ErrorAction SilentlyContinue))
}
foreach ($user in $nonAdmins) {
try {
Enable-LocalUser -Name $user.Name
} catch {
Write-Host "Error enabling $($user.Name): $_"
}
}
Deploy and schedule this script similarly in Intune but scope it to run only on compliant devices.
5. End-to-End Workflow
- Compliance policy flags unpatched PCs as non-compliant instantly.
- Conditional Access blocks Azure AD user logins at the Windows sign-in.
- PowerShell disable script blocks local and on-prem AD logins by disabling non-admin accounts.
- Users cannot access the PC until they install updates.
- Once updated, the enable script runs to restore local account access.
Best Practices
- Testing: Pilot policies and scripts on a small group before wide deployment.
- Admin Access: Keep at least one admin account exempt or on a separate device group to avoid lockout.
- Monitoring: Use Intune and Azure AD reports to track non-compliant devices and login blocks.
- Communication: Notify users about the policy so they know why their login is blocked.
- Scheduling: Align script run intervals with patch release schedules for minimal disruption.
By combining Intune compliance checks, Conditional Access, and local account lockdown, you ensure that unpatched Windows PCs cannot be used until they meet your organization’s security standards. This multi-layered approach covers cloud and local logins, enforcing strict patch compliance effortlessly.
