This blog post uses the LocalPoliciesSecurityOptions area of the Policy configuration service provider (CSP) to manage local policies security options on Windows 10 devices. This area was added in Windows 10, version 1709, which is currently available as Insider Preview build.
This week a blog post about managing local policies security options via Windows 10 MDM. More specifically, local policies security options settings related to accounts. For example, to block the usage of Microsoft accounts. I might address the other areas of the local policies security options in later blog posts, but that will be more of the same. The ability to manage local policies security options is something new in Windows 10 MDM. Windows 10, version 1709, introduces the LocalPoliciesSecurityOptions area in the Policy CSP. In this post I’ll look at the available settings in the Policy CSP and I’ll provide information about how those settings related to actual local policies security options. I’ll also provide some configuration guidelines for Microsoft Intune hybrid and Microsoft Intune standalone and I’ll end this post with the some examples of the actual device configuration.
Now let’s start by having a look at the available settings. Windows 10, version 1709, introduces the LocalPoliciesSecurityOptions area in the Policy CSP. That area contains 20+ settings. Those settings are related to accounts, interactive logon, network security, recovery console, shutdown and user account control. In this post I’m specifically looking at the settings related to accounts. The table below show the available settings related to accounts and the available values.
|Accounts_BlockMicrosoftAccounts||0 – Disabled
1 – Enabled
|This setting allows the administrator to prevent users from adding new Microsoft accounts on this computer.|
|Accounts_EnableAdministratorAccountStatus||0 – Disabled
1 – Enabled
|This setting allows the administrator to enable the local Administrator account.|
|Accounts_EnableGuestAccountStatus||0 – Disabled
1 – Enabled
|This setting allows the administrator to enable the Guest account.|
|Accounts_LimitLocalAccountUseOfBlank PasswordsToConsoleLogonOnly||0 – Disabled
1 – Enabled
|This setting allows the administrator to configure whether local accounts that are not password protected can be used to log on from locations other than the physical computer console.|
|Accounts_RenameAdministratorAccount||<string>||This setting allows the administrator to configure whether a different account name is associated with the security identifier (SID) for the account Administrator.|
|Accounts_RenameGuestAccount||<string>||This setting allows the administrator to configure whether a different account name is associated with the security identifier (SID) for the account Guest.|
Local group policy setting
The nice thing is that the mentioned account related settings, in the LocalPoliciesSecurityOptions area of the Policy CSP (./Vendor/MSFT/Policy/Config), are all related to actual local group policy settings. Those settings can be found at Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The name of the area, in the Policy CSP, simply translates to the location in the local group policies. Nice and easy. The table below shows how the available settings, related to accounts, actually translate to local group policy settings.
|Local group policy setting||Policy CSP|
|Accounts: Block Microsoft accounts||Accounts_BlockMicrosoftAccounts|
|Accounts: Administrator account status||Accounts_EnableAdministratorAccountStatus|
|Accounts: Guest account status||Accounts_EnableGuestAccountStatus|
|Accounts: Limit local account use of blank password to console logon only||Accounts_LimitLocalAccountUseOfBlank PasswordsToConsoleLogonOnly|
|Accounts: Rename administrator account||Accounts_RenameAdministratorAccount|
|Accounts: Rename guest account||Accounts_RenameGuestAccount|
After getting to know the available settings, let’s have a closer look at the configuration of the settings. The settings can be used in Microsoft Intune hybrid and Microsoft Intune standalone, by using the configuration guidelines shown below.
Note: This post is based on the custom OMA-URI settings configuration. At some point in time this configuration can become available via the UI of Microsoft Intune standalone and/or hybrid.
Usually I’ll end these type of posts with the end-user experience. However, in this case it’s better to simply look at the device configuration instead. On the left is an export of the MDM Diagnostics Information, which clearly shows the default configuration and the new configurations via MDM. On the right is an overview of the Local Group Policy Editor, which clearly shows the new actual configuration of the new configuration via MDM.
For more information about the LocalPoliciesSecurityOptions area of the Policy CSP, please refer to this article about Policy CSP – LocalPoliciesSecurityOptions.