This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 3%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Second time typing this so I'll try to get to the point:
I've got AAD set up for my school with about 60 devices successfully added and in use.
I just set up a new computer that I was hoping to keep accessible to a few choice accounts in the domain rather than anyone being able to sign in. I created a device configuration profile for this in MDM and applied it to the desktop computer in question.
Now no account is able to log into the computer (including my own). I've deleted the policy but the computer doesn't appear to sync these policies unless it's logged in, which I'm unable to do.
Is there a way to fix this without a factory reset? Perhaps a way to force an AAD sync without logging in?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Andrew HUSSEY From your description, I know after deploying a device configuration profile, no account is able to login although we remove the profile. If there's any misunderstanding, feel free to let us know.
To sync the Intune policy to the device, we can go to Microsoft Endpoint Manager admin center and go to the device side, choose Sync to see if it is working.
Meanwhile, try to login the device with a local administrator account to see if it is successful.
In addition, please get a screen shot of the device configuration we set. So that we can test in the lab to get more options.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
What was the policy you assigned to the device exactly? Could you login with your AAD account before that? Have you tried initiating a sync from the portal https://video2.skills-academy.com/en-us/mem/intune/remote-actions/device-sync#sync-a-device ?
Thanks for your reply! I was able to log in with my AAD account prior to the policy being applied. Any attempts to sync from the AAD side (MDM or InTune) has not been successful. I have since deleted the policy so don't have it handy to share. I will search for the article I used to create the policy to begin with and share it here when I find it.
This was the guide I followed to create the policy intended to limit access to this computer to a few accounts in my org:
https://www.inthecloud247.com/restrict-which-users-can-logon-into-a-windows-10-device-with-microsoft-intune/
@Terry Smith , From your description, it seems no user include local user can login the device now. Based as I know, some profile setting will still be there after removing the profile. We can see more details in the following link:
https://video2.skills-academy.com/en-us/mem/intune/configuration/device-profile-troubleshoot#what-happens-when-a-profile-is-deleted-or-no-longer-applicable
We can reconfigure the AllowLocalLogOn device configuration profile and put the local group, other group to allow login. Then try to apply the policy to the device instead of the user to see if it is working.
Hope it can help.
Thanks for the replies.
It turns out that after allocating the correct licence it takes some time for it to propagate.
Somewhat frustrating that there can't be an error message to say "user not licensed for InTune" or similar.
Anyway, I appreciate people taking the time to reply.
Andrew
@Andrew HUSSEY , Thanks for the sharing. I am glad to hear that we find the cause. Congratulations!
For the feedback related to the error showing, to improve the experience of our Product, we suggest to feedback it on the Intune uservoice where Product team will review.
https://microsoftintune.uservoice.com/forums/291681-ideas
Thanks for your time and have a nice day.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.