This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I am in a Hybrid Azure AD environment. I set up the Endpoint security - Account protection - Local user group membership policy in my Intune tenant to replace a GPO that would set the SCCM server and a few users and groups as members of the Administrators group. I created a security group and denied the GPO from my endpoint.
While in office or connected to VPN:
Test 1: Passed
I removed all the members of the Administrators group and did a gpupdate /force to make sure that the GPO did not repopulate. Once that was verified, I created the Intune local user group membership policy and added an extra random user as a test and did a ADCONNECT sync for good measure. (I used an Add (Replace) and Manual with the SID of all the entries) I then did a sync from Settings - Accounts - Access work or school - my account - Info. I refreshed the Administrators group and I was pleased to see all the accounts in the Intune policy show up, including the extra one.
Test 2: Fail
I removed the extra account in the policy and again did an ADCONNECT sync, and the sync on my device and the extra account was not removed.
Test 3: Fail
I then removed 3 of the accounts that were supposed to be in there and did the syncs again and even waited an hour. Unfortunately the Administrators group was not updated with the accounts that were supposed to be in there.
Questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 28.000000000000004%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
Yes, you need a direct connection to the domain either via VPN or in an office for this policy to work in a Hybrid Azure AD environment.
The policy runs every 8 hours by default, and it cannot be modified. However, you can force the policy to run immediately on a device by going to Settings > Accounts > Access work or school > Info and clicking the Sync button.
The expectation with this policy is that it will add the specified accounts to the Administrators group, but it will not remove any accounts that were previously added. Therefore, if you remove an account from the policy, it will not be automatically removed from the group.
Proactive remediation PowerShell is better suited for this kind of task, as it provides more flexibility and control over the process. You can use PowerShell to automate the process of adding and removing users from the Administrators group, and you can run the script on a schedule or trigger it manually as needed.
Catherine is correct. But...there are multiple ways to do the same thing. Hopefully I can add a few ways of doing the same thing...I only have 5 years of Intune experience.
8 Hours, there are a few ways to modify...
First, you can also restart the Windows Intune Extension Service in Services.msc,
Second, in the Intune console you can run a sync when you select the device,
Third, users can run a sync through the instructions Catherine provided.
Finally, if you want all machines to run a sync at the same time, restart the service using a script I am sure you know how to write.
You can create a custom ORA-URI. Custom GPO's. Very powerful, make sure you test.
https://video2.skills-academy.com/en-us/mem/intune/configuration/custom-settings-windows-10
https://video2.skills-academy.com/en-us/mem/intune/configuration/custom-settings-windows-10
If you set ControlPolicyConflicts to allow GPO to win...this might not be necessary.
No, do not manage the local administrator groups through Proactive Remediations in Intune. You can use Proactive Remediations as the detection/remediation layer for any machine missing users in the admin group. You should deploy both.
If you need to remove a user/group, Proactive Remediations is always the "last layer", not the managed option.