Intune

UserRights Policy Deployment Using Intune | Group Policy Replacement

March 2, 2020

You can use Intune to deploy security policies using out of box templates or Windows 10 custom policy CSP (UserRights Policy). In this post, you shall learn how to successfully deploy UserRights policies. Thanks to my colleague Mark Thomas to help me in fixing the issue.

TL;DR

Introduction

I checked Intune Administrative templates, Security baselines, and out of box Device restriction policies to find out options to deploy Windows 10 UserRights settings. I couldn’t find any out of box policies related to UserRights settings.

Administrative templates - Intune UserRights - UserRights Policy — **Administrative templates** – **Intune UserRights** – **UserRights Policy**

I have two options to deploy UserRights settings:

Group Policy if the device is domain joined or Hybrid Azure AD Joined
- Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. More details here.
Custom Windows 10 policy CSP using Intune for Azure AD joined devices. More details here.

Custom Windows 10 Policy CSP

In this post, you shall take example of the specific policy CSP called:

“./Device/Vendor/MSFT/Policy/Config/UserRights/AccessFromNetwork“

I’m trying to provide “access from network” access to two user groups called “Administrators” and “Remote Desktop Users“.

XML Format – First Try

I tried custom policy CSP using the Microsoft document recommendation here.

Created custom Intune policy CSP using – Data Type -> String (XML File)

UserRights - String (XML File) - UserRights Policy — **UserRights – String (XML File)** – UserRights Policy

Sample XML for UserRights/AccessFromNetwork settings to add Remote Desktop UsersAdministrators (  note this symbol) groups

  <SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>

    <Replace>
      <CmdID>2</CmdID>
      <Item>
        <Meta>
          <Format>chr</Format>
          <Type>text/plain</Type>
        </Meta>
        <Target>
          <LocURI>./Device/Vendor/MSFT/
Policy/Config/UserRights/AccessFromNetwork</LocURI>
        </Target>
        <![CDATA[Remote Desktop UsersAdministrators]]>
      </Item>
    </Replace>
  <Final/>
  </SyncBody>
</SyncML>

The Data Type string (xml file) policy CSP settings failed with following error:

Error Code - 0x87d101f4
Syncml(500). The recipient encountered an unexpected condition which prevented it from fulfilling the request

UserRights Policy - Error 0x87d101f4 — **UserRights Policy – Error 0x87d101f4**

String Option – UserRight/AccessFromNetwork

String XML file option to deploy policy CSP failed as you saw above. The next option is to try Data Type -> String with Windows 10 policy CSP.

I tried to look at GitHub thread here and use the following settings to deploy UserRight/ AccessFromNetwork policy CSP.

String Option - UserRight/AccessFromNetwork - UserRights Policy — **String Option** – UserRight/AccessFromNetwork – UserRights Policy

The above setting got successfully applied on the Windows 10 device but Intune shows an error -2016281112 (Remediation failed). This error details also explained in the above GitHub thread.

ASCII Value (  ) Issues with UserRights CSP

This is the option where my colleague Mark Thomas came to rescue. Mark helped me to FIX the Windows 10 custom policy CSP ASCII character related issue.

NOTE – This ASCII value (  ) mismatch is also discussed in GitHub thread here.

String Value to provide “UserRight/AccessFromNetwork” access to following groups:

Administrators
Remote Desktop Users

The following is the third and final options which was successful.

Policy CSP Settings Intune:

Name - UserRights/AccessFromNetwork
Description - User Rights
OMA-URI - ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessFromNetwork
Data Type - String
Value - Remote Desktop UsersAdministrators

Results – UserRights Policy

The Windows 10 custom policy CSP successfully deployed without using group policy settings. Happy modern management!

UserRights Policy OMA-URI Settings - Results — **UserRights Policy OMA-URI Settings – Results**

Resources

Policy CSP – UserRights – https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-userrights
How to Manually Sync Intune Policies ASAP from Enrolled Devices

6 COMMENTS

Steve Prentice March 4, 2020 At 5:39 pm
Works like a charm, thanks for going through all the pain for us. 🙂
- Anoop C Nair March 4, 2020 At 5:40 pm
  Great to know … thank you for the feedback
David March 7, 2020 At 10:54 am
Hi,
where and how do I find the endpoint settings defined from Intune?
For GPO, were the tools gpresults and rsop? Is there something similar for Intune?
Thanks
David
- Anoop C Nair May 11, 2020 At 5:12 pm
  Diagreport from the client might help you
Sumit Kumar July 20, 2020 At 7:25 pm
Hi Anoop,
I am trying to restrict few user groups from interactive login to AzureAd joined devices and was exploring UserRights/DenyLocalLogOn. I did give the objectID of the azure ad group in the string but it didn’t work. Have you tried this? Also, is there any other better way to handle this?
- Scott Strausbaugh October 17, 2020 At 1:53 am
  Did you ever find a way to deny a local login using a CSP? I was trying to limit anyone in the local Guests group on the machine from logging in. This was my final setting that applied successfully after reading this article.
  Name: DenyInteractiveLogonRight
  OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLocalLogOn
  Data type: String
  Value: Guests

Introduction

Custom Windows 10 Policy CSP

XML Format – First Try

String Option – UserRight/AccessFromNetwork

ASCII Value (  ) Issues with UserRights CSP

Results – UserRights Policy

Resources

RELATED ARTICLESMORE FROM AUTHOR

Override Intune GRS: Trigger IME to retry failed Win32 App deployment

Android Enterprise: An ultimate use-case guide for the different management modes available with Intune [3]

9 myths regarding the use of Android in Enterprise

6 COMMENTS

LEAVE A REPLY Cancel reply

RELATED ARTICLES MORE FROM AUTHOR