@Matt, Thanks for posting in Q&A. For your questions, here are my answers:
Q1: My first thought was that I was using the wrong type of group in Entra, but I've had no luck with either Security groups or Mail-Enabled Security groups. Do I need to use a specific type of group for the policy to work? (i.e, will the policy only work with, for example, a Dynamic Security group?)
A1: The policy should work with any type of Entra group, including Security groups or Mail-Enabled Security groups. The policy does not require a specific type of group to work.
Q2: Do I need to add anything extra to the SID when I add it to the users list in the LocalUsersAndGroups policy? Should I specify the domain first, as I've done with specific users?
A2: You do not need to add anything extra to the SID when adding it to the users list in the LocalUsersAndGroups policy. You should not specify the domain first when adding the SID. However, the supported formats of identifying the user selection in order of most to least preferred is through the SID, domain\username, or member’s username. Values from Active Directory must be used for hybrid joined devices, while values from Microsoft Entra must be used for Microsoft Entra join. Please ensure the device join type is correct to added the members.
If the device join type is correct, and I notice the SID is added into the local administrators group. That means the Intune policy is already applied. It can be that the device itself can't recognize the SID. You can open case with Windows support and Microsoft Entra support to look into the issue:
https://video2.skills-academy.com/en-us/entra/fundamentals/how-to-get-support#open-a-support-request
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.