IT admins can now configure local group membership settings for Windows devices, enabling admins to granularly manage the membership of built-in groups on the Windows platform to ensure users have the correct privileges.
In a Tech Community blog, the Intune Support Team said this new feature comes with a built-in template in the Endpoint security node where admins can add, remove or replace users to the built-in local groups on the targeted device.
Microsoft says the settings are derived from the Policy configuration service provider (CSP) LocalUsersAndGroups and come as a built-in template in the Account protection section of Endpoint security. Previously, those settings were only able to be configured through PowerShell script, custom OMA-URI policies or GPO, according to the blog.
To access the new settings, sign into the Microsoft Endpoint Manager admin center and select Endpoint security > Account protection. Select Create Policy and choose Windows 10 and later as the platform and Local user group membership as the template.
Admins can create multiple rules to manage which built-in local groups they want to change, the group action to take and the method to select the users, the company says.
Once one or more local groups have been selected, you can choose the group action to take:
- Add (Update): Adds members to specified group while keeping the current group membership intact.
- Remove (Update): Removes members of specified group while keeping the current group membership intact.
- Add (Replace): Replaces current membership of specified group with newly specified group.
Note: The same local group cannot have a rule to both Update and Replace members. If this is configured using Microsoft Graph (not recommended), the Replace action will take precedence.
Then, admins can select the method to identify the members they want to add or remove from the specified group by either selecting the Azure Active Directory users and user groups or inputting the manual Azure AD and/or AD users and groups. The manual option allows admins to enter a list of the users and user groups as identified members to be managed for the specified groups.
This can be helpful in scenarios where you want to manage your on-prem Active Directory users from Active Directory to a local group for a hybrid Azure AD joined device. The supported formats of identifying the user selection in order of most to least preferred is through the SID, domain\username, or member’s username. Values from Active Directory must be used for hybrid joined devices, while values from Azure AD must be used for Azure AD join. Azure AD group SIDs can be obtained using Graph API for Groups.
Microsoft advisees that admins should check the methods of user selection and the types of devices being targeted to make sure the supported formats are compatible. Any entries that are not supported will be skipped and not applied to the device.
After admins are satisfied with the configured rules, they can apply scope tags and targeting, then review the policy contents before saving. Admins can view targeted devices as they check in to the policy to determine whether they are in success or error.
Read the Tech Community blog for more information.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply