This blog post uses the LocalPoliciesSecurityOptions area of the Policy configuration service provider (CSP) to manage local policies security options on Windows 10 devices. This area was added in Windows 10, version 1709, which is currently available as Insider Preview build.
This week a blog post about managing local policies security options via Windows 10 MDM. More specifically, local policies security options settings related to accounts. For example, to block the usage of Microsoft accounts. I might address the other areas of the local policies security options in later blog posts, but that will be more of the same. The ability to manage local policies security options is something new in Windows 10 MDM. Windows 10, version 1709, introduces the LocalPoliciesSecurityOptions area in the Policy CSP. In this post I’ll look at the available settings in the Policy CSP and I’ll provide information about how those settings related to actual local policies security options. I’ll also provide some configuration guidelines for Microsoft Intune hybrid and Microsoft Intune standalone and I’ll end this post with the some examples of the actual device configuration.
Available settings
Now let’s start by having a look at the available settings. Windows 10, version 1709, introduces the LocalPoliciesSecurityOptions area in the Policy CSP. That area contains 20+ settings. Those settings are related to accounts, interactive logon, network security, recovery console, shutdown and user account control. In this post I’m specifically looking at the settings related to accounts. The table below show the available settings related to accounts and the available values.
Setting | Value | Description |
Accounts_BlockMicrosoftAccounts | 0 – Disabled 1 – Enabled |
This setting allows the administrator to prevent users from adding new Microsoft accounts on this computer. |
Accounts_EnableAdministratorAccountStatus | 0 – Disabled 1 – Enabled |
This setting allows the administrator to enable the local Administrator account. |
Accounts_EnableGuestAccountStatus | 0 – Disabled 1 – Enabled |
This setting allows the administrator to enable the Guest account. |
Accounts_LimitLocalAccountUseOfBlank PasswordsToConsoleLogonOnly | 0 – Disabled 1 – Enabled |
This setting allows the administrator to configure whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. |
Accounts_RenameAdministratorAccount | <string> | This setting allows the administrator to configure whether a different account name is associated with the security identifier (SID) for the account Administrator. |
Accounts_RenameGuestAccount | <string> | This setting allows the administrator to configure whether a different account name is associated with the security identifier (SID) for the account Guest. |
Local group policy setting
The nice thing is that the mentioned account related settings, in the LocalPoliciesSecurityOptions area of the Policy CSP (./Vendor/MSFT/Policy/Config), are all related to actual local group policy settings. Those settings can be found at Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The name of the area, in the Policy CSP, simply translates to the location in the local group policies. Nice and easy. The table below shows how the available settings, related to accounts, actually translate to local group policy settings.
Local group policy setting | Policy CSP |
Accounts: Block Microsoft accounts | Accounts_BlockMicrosoftAccounts |
Accounts: Administrator account status | Accounts_EnableAdministratorAccountStatus |
Accounts: Guest account status | Accounts_EnableGuestAccountStatus |
Accounts: Limit local account use of blank password to console logon only | Accounts_LimitLocalAccountUseOfBlank PasswordsToConsoleLogonOnly |
Accounts: Rename administrator account | Accounts_RenameAdministratorAccount |
Accounts: Rename guest account | Accounts_RenameGuestAccount |
Configure settings
After getting to know the available settings, let’s have a closer look at the configuration of the settings. The settings can be used in Microsoft Intune hybrid and Microsoft Intune standalone, by using the configuration guidelines shown below.
Note: This post is based on the custom OMA-URI settings configuration. At some point in time this configuration can become available via the UI of Microsoft Intune standalone and/or hybrid.
Device configuration
Usually I’ll end these type of posts with the end-user experience. However, in this case it’s better to simply look at the device configuration instead. On the left is an export of the MDM Diagnostics Information, which clearly shows the default configuration and the new configurations via MDM. On the right is an overview of the Local Group Policy Editor, which clearly shows the new actual configuration of the new configuration via MDM.
More information
For more information about the LocalPoliciesSecurityOptions area of the Policy CSP, please refer to this article about Policy CSP – LocalPoliciesSecurityOptions.
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Greetings Peter, I’ve been attempting to use the Reporting CSP to obtain WIP audit reports. I tried following the instructions but ran into a wall trying to understand the syntax needed. I opened a case with support, but after some back and forth, they came back and said I needed to use SCCM (and they couldn’t even provide the steps for that) — I’m not sure if the support people really understood. I find it hard to believe that I can’t produce WIP audit reports with Intune Standalone. Especially when one of the WIP policy settings is “Silent” with auditing. Are you aware of any workaround I can use to get these reports without having to setup SCCM? Figured it might be something you know. Thanks in advance for any insight you can provide. Cheers, Anthony Murfet.
Hi Anthony,
With Configuration Manager you can extend the hardware inventory, also based on OMA-URIs. See for an example: https://petervanderwoude.nl/post/reporting-windows-defender-health-on-windows-10-via-oma-dm/
Regards,
Peter