A guide to understand and resolve the problem with the User Rights section in the latest security baseline for Intune.
Security baselines are predefined sets of security settings that you can apply to your devices in Intune. They help you to protect your devices from common threats and comply with industry standards and regulations. Security baselines are updated regularly to reflect the latest security best practices and recommendations from Microsoft.
The latest security baseline for Intune is Security Baseline 23H2, which was announced in late October 2023. It includes several new features and improvements compared to the previous November 2021 version.
You can find the full list of settings and their descriptions in the reference at Microsoft Learn. (https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-mdm-all?pivots=mdm-23h2)
However, there is an issue with the User Rights section in Security Baseline 23H2 that affects some devices and causes users to be locked out from the device with an error message “The sign-in method you’re trying to use isn’t allowed. For more info, contact your network administrator.” when trying to log in. The User Rights section allows you to configure the permissions and privileges of local groups and users on your devices, such as who can log on locally, who can access the computer from the network, who can shut down the system, and so on.
The issue is that the User Rights section might not work as expected if the operating system language of your devices is something other than English. This is because the local groups and users are named differently in different languages, and the security baseline uses the English names by default. For example, the Administrators group is called Administratoren in German, Administrateurs in French, and Administradores in Spanish.
To mitigate the issue, you have two options:
- Option 1: Configure the User Rights section using the security identifiers (SIDs) of the local groups and users instead of their names. SIDs are unique alphanumeric strings that identify each group and user regardless of their language. You can find the SIDs of well-known SIDs in Microsoft documentation. For example, the SID of the Administrators group is S-1-5-32-544.
- Option 2: Do not configure the User Rights section at all and leave it as Not configured. This will apply the default settings of the operating system to your devices, which might be sufficient for your security needs.
Note that once the issue is present on your devices, the only way to fix it is to use option 1 and configure the User Rights section using SIDs. Option 2 will not work if you have already configured the User Rights section using group names.
Once you have fixed the issue in the security baseline, you need to initiate a sync manually on the affected devices in Intune. This will apply the updated settings to your devices and resolve the issue. It might take 10 to 15 minutes for the settings to deploy on the login screen of your devices.
I hope that this blog post has helped you to understand and resolve the issue with the User Rights section in Security Baseline 23H2 for Intune. If you have any questions or feedback, please leave a comment below or contact me directly through email or DM.
Note: Self-service PIN reset utilizes defaultuser01 account when resetting the users Windows Hello PIN. Local account S-1-5-113 should be allowed to Log on locally for the PIN reset functionality to work.
The following SIDs can be used to replace default User Rights in Security Baseline 23H2. An asterix(*) must be used in front of the SID.
| SID | Group / User |
| S-1-5-32-544 | Administrators |
| S-1-5-32-545 | Users |
| S-1-5-32-555 | Remote Desktop Users |
| S-1-5-19 | NT Authority (LocalService) |
| S-1-5-20 | Network Service |
| S-1-5-6 | Service |
| S-1-5-113 | Local account |
More information and well-known SIDs are available in Microsoft Learn (https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers)
