Configuring User Rights Policies in Intune via Custom Profile

To make a long story short: When configuring user rights policies in Intune with a device configuration (custom profile), you'll find that the sample provided in the docs won't fully work. It does the correct configuration on the clients, but it will show you a remediation error in the Intune portal, which is not very nice.

Credits: Big thanks to Mark Thomas, who helped me solving this one.

Note: There are upcoming changes to Intune announced that should simplify these configurations. Hopefully very soon.

Background

Due to a bug in with the encoding of the delimiter used when following the CDATA syntax, the evaluation fails with an remediation failed error. The bug is due to the fact that the XML parser which handles the  delimiter only works for ADMX backed policies.

Looking something like this:

Intune being sad

Workaround

To workaround the issue until the bug is fixed, skip using the CDATA syntax for now. So instead of using this documented syntax to grant Administrators and Users permissions to for example the Allow local LogOn user right:

<![CDATA[*S-1-5-32-544*S-1-5-32-545]]>


Use this syntax instead:

*S-1-5-32-544*S-1-5-32-545
Using a simpler syntax

Please note the delimiter. To make sure you get the right character, go to https://coderstoolbox.net/string/#!encoding=xml&action=decode&charset=us_ascii and enter the below text in the input box and press enter.

Configuring the delimiter
Intune being happy 🙂
About the author

Johan Arwidmark

5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

>