When our super IT admins or security admins want to build a totally controlled secured Windows 10, sometimes the task is “disable” or “block” some features in Windows 10. In this blog post, we will talk about “Account settings” and what are the impacts of these account settings.
Noted, this blog post is not about telling you what should be block or shouldn’t, I only want to document my test results how these settings work or not work, and knowing where are all these settings.
Microsoft Account (MSA)
I am not saying you should forbid Microsoft Account or you shouldn’t for enterprise-managed devices. As an in-house IT or managed service provider, you may not want your user to add their MS account to company devices or Kiosk devices. But sure as an end-user myself … *cough* *cough*
– Where is the setting?
In Intune, you can easily find this/these settings in Device restrictions – Cloud and Storage or use Intune Policy CSP https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts
You can aslo find the same settings in GPO: Computer Configuration\Administrative Templates\Windows Components\Microsoft account >>”Block all consumer Microsoft account user authentication” : Enabled. But please don’t get confuse with Accounts: Block Microsoft accounts , these are not same settings. More details about these two policy settings can be found in Microsoft doc https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication
– What happens when blocking Microsoft Account?
Last year when Maurice and I were doing Kiosk device presentation in MMS Jazz conference, we mentioned Microsoft Account cause issues to Kiosk device, D.C Tardy from Microsoft was kindly enough gave us more details of this topic and allow us share their work. Thanks a lot!
What the CSP (and GPO equivalent) does:
- forbids applications using the web account manager (WAM) to authenticate using Microsoft account (MSA)
What the CSP (and GPO equivalent) does not perform:
- forbids applications using Oauth to authenticate using MSA
- forbids browser login (edge, chrome, application using browser authentication)
- disables the “Microsoft Account Sign-In Assistant” (wlidsvc) NT service
Why it may work for you:
- The applications you may be concerned about are the ones in Windows 10. The three we tested (mail, myphone, stickyNotes) are all using WAM. Additionally, Office (16.0.7967+), post Windows 1803 (RS4), uses WAM.
- Additional applications could be controlled by AppLocker reducing risk by blocking unapproved applications
- You may have a proxy server that includes data leakage protection (DLP) controls without the need to block login.live.com
What we tested using the CSP and found to work:
- Windows update
- Office update
- Minimum Office version implementing WAM and so honoring the CSP is 16.0.7967 with Win10 1803
- There is a risk that the using this CSP may disable a feature you depend on now or in the future.
Microsoft Account Sign-In Assistant
Before you decide disable Microsoft Account Sign-In Assistant, read more details from Microsoft doc. I quote this from Microsoft Doc https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant
- If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher
- If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app
If you blocked Microsoft Account Sign-in Assistant, you will get the error “Something went wrong, please try again later”, error code 0x800706d9 when you try add a Microsoft account or Work or School account.
Disabling Microsoft Account Sign-in Assistant will also break your Autopilot pre-provisioning deployment.
After Autopilot pre-provisioning deployment succeeded, policy profiles are applied (MSA Assistant is disabled), you will see the nice green screen that everything is fine, and you can reseal the device. But when user happily turns on the device, they won’t see the “Welcome to your organization” sign-in page, instead, it will be a normal consumer sign-in screen.
Email & accounts settings
I personally don’t like disable Email & accounts settings, because this doesn’t restrict users from adding Microsoft account nor work/school account via Microsoft 365 apps. Instead, this will only restrict users from cleaning up those added accounts.
The setting can be found from the registry:
Intune Setting Catalog:
This setting can be found in registry
Or Intune Settings Catalog
Access work or school
In some case you might want to use this. For example if user has local administrator rights, and you don’t want user disconnect the device from their work account. Sure you will still need other restrictions as well, like use Applocker restrict access to PowerShell.exe, cmd.exe and so on.
NOTE: This setting doesn’t restrict users from adding another work or school account via M365 365 apps. If you need to restrict this, please read this blog Are you tired of “Allow my organization to manage my device”? – MSEndpointMgr
Access work or school setting can be found in registry
Or use Intune Settings Catalog
“Account Control” is very important, please test more before you configure any of them. I might still miss some information, let me know if there is anything else.