Configuring User Rights Policies in Intune via Custom Profile

To make a long story short: When configuring user rights policies in Intune with a device configuration (custom profile), you'll find that the sample provided in the docs won't fully work. It does the correct configuration on the clients, but it will show you a remediation error in the Intune portal, which is not very nice.

Credits: Big thanks to Mark Thomas, who helped me solving this one.

Note: There are upcoming changes to Intune announced that should simplify these configurations. Hopefully very soon.


Due to a bug in with the encoding of the delimiter used when following the CDATA syntax, the evaluation fails with an remediation failed error. The bug is due to the fact that the XML parser which handles the  delimiter only works for ADMX backed policies.

Looking something like this:

Intune being sad


To workaround the issue until the bug is fixed, skip using the CDATA syntax for now. So instead of using this documented syntax to grant Administrators and Users permissions to for example the Allow local LogOn user right:


Use this syntax instead:

Using a simpler syntax

Please note the delimiter. To make sure you get the right character, go to!encoding=xml&action=decode&charset=us_ascii and enter the below text in the input box and press enter.

Configuring the delimiter
Intune being happy 🙂
About the author

Johan Arwidmark

5 1 vote
Article Rating
Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
1 year ago

I found it… 🙂

1 year ago

How is the format if you want to remove all assignments from a specific user right?

Using just <![CDATA[]]> works, but gives an error in Intune reports. According to your post, the CDATA should be left out, but then there is nothing left and a custom OMA URI does not accept an empty string value.