Account protection allows you to protect user identities and accounts. It is also possible to manage group membership built into the device. With Account Protection, you can configure Account protection or Local user group membership
This feature requires Windows 10 or Windows 11 workstations.
This feature permit to secure the user’s identification information. He is focused on settings for Windows Hello and Credential Guard.
- Windows Hello for Business : Permit to replace passwords by two-factor authentification on PCs and mobile devices.
- Credential Guard : Protect credentials and secrets tused on the devices.
Local user group membership
With this feature, it’s possible to add, remove, or replace members on the built-in local groups device’s. You can for example create policy for edit local Administrators groups and lock it down the members added..
I want to add my Azure AD administrator to the local administrator groups on my workstations.
From the Intune portal, click on Endpoint security then on Account protection. Click on Create Policy for create new policy.
Select Windows 10 and later on the Platform drop-down list and Local user group membership on Profile drop-down list. Click on Create for create the policy.
Enter the name of the profile and click on Next.
I want to add user so I choose Users on Local group.
The Update action adds the user or group of users without modifying the group. The Replace action allows you to replace the entire group with the configuration made in Intune.
You can add users/groups present in the Azure AD or add account manually. Select Users/Groups and click on Select users/groups.
Select the desired user and click on Next. Configure the assignment . I choose to assign the policy on all devices.
Click on Create for create the policy. The policy is been applied and account has added on administrators groups.