Remote work brought a lot of benefits both to employers (cost savings, increased productivity, environmental impact) and to employees (better work-life balance, flexible hours, happiness) but, when it comes to rapidly offboard of soon-to-be-ex-employees it has become a challenge to make sure their access is terminated (both online and cached) as soon as the communication happens.
The Challenge
One of my Twitter friends Adam Gell raised his concern about Intune and offboarding and I decided to do some testing to see if I could help. I’ll leave that decision for every and each one of you.
Intune isn’t fast enough to terminate users and make a device configuration that won’t let terminated users to not log in.
— Adam G (@AdamGell) July 22, 2024
You need an agent based software that has a realtime connection to the device.
While researching this issue I have stumbled on a many dead-ends (1,2) when it comes to deleting the cached credentials to prevent users from login offline. At least during my testing I could not find a way of successfully disabling cached credentials.
Some more searching and I came across this post from earlier this year talking about blocking the user via User Rights Assignment. In the blog the author is doing the configuration (add the desired user into local Guests group) via Settings Catalog and then triggering a device restart via script or device actions on Intune. Particularly I don’t like those options as they are separate actions that need to happen in order to take effect, and more, probably another device action (sync) might be required to make sure the Settings Catalog policy applied.
The (a) Solution
The proposed solution utilises Remediation On-demand, since we want that action to happen as soon as possible (given Windows Push Notification service is working properly, and it’s not blocked on your environment). It could also be a scheduled script, but in my experience someone desperately calls IT or tap someone on the shoulder and says “We have terminated …. and their work is too sensitive, can we block his access to his device immediately?” (if I had a dollar for every time this happened).
The script I’m using was borrowed from Blake Drumm which borrowed from Bill Loytty (ain’t community a great thing?) and it can be used on two different ways.
1 - Remove the local group Users access from Allow log on locally User Rights Assignment. This action block any standard user from login on to the device.
2 - Add a specific user (using the format {azuread\user@domain.com}) to the Deny log on locally User Rights Assignment. This action blocks only the specified user from login on to the device.
I favor using option 1 because on my environment no user is an administrator and every device is one-to-one. That also saves me the trouble of having to change the script to named users every time a termination happens (where typos are always a risk).
Option 1 Scripts
Option 2 Scripts
Change line 393 and 392 respectively to match the desired username.
Detection.ps1
Remediation
Note: The remediation should be triggered from Intune before the user account is disabled, as once that happens the remediation will not run. I always run the remediation, wait for a couple minutes until I get confirmation from Intune it completed and then proceed to disable the Entra ID account.
Comments