Intune Log on Rights
I locked myself out of a test machine last week. Not in a fun way. Not in a "forgot my password" way. In a "the sign-in method you're trying to use isn't allowed" way, where no account on the device could log in at all. Not the admin. Not the test user. Nobody. Ok. Probably just something to do with Windows Hello. No worries. Lemme just login with the password. 😒 Thanks for giving me the benefit of the doubt but I DID not mean to do this on purpose. I've deployed this exact policy before in production environments. I know how it works. And I still managed to brick the logon on my test device. I had to wipe the machine. Completely. What happened? I forgot the #!&%?! USERS group. The trap with AADJ devices On AADJ-only devices, local group memberships are still evaluated for user rights assignments. Your Entra ID groups don't just float freely. They need to be nested inside one of the local BUILTIN groups on the ma...
