Account settings of Windows 10

When our super IT admins or security admins want to build a totally controlled secured Windows 10, sometimes the task is “disable” or “block” some features in Windows 10. In this blog post, we will talk about “Account settings” and what are the impacts of these account settings.

Noted, this blog post is not about telling you what should be block or shouldn’t, I only want to document my test results how these settings work or not work, and knowing where are all these settings.

Microsoft Account (MSA)

I am not saying you should forbid Microsoft Account or you shouldn’t for enterprise-managed devices. As an in-house IT or managed service provider, you may not want your user to add their MS account to company devices or Kiosk devices. But sure as an end-user myself … *cough* *cough* 

– Where is the setting?

In Intune, you can easily find this/these settings in Device restrictions – Cloud and Storage or use Intune Policy CSP

You can aslo find the same settings in GPO:  Computer Configuration\Administrative Templates\Windows Components\Microsoft account >>”Block all consumer Microsoft account user authentication” : Enabled. But please don’t get confuse with Accounts: Block Microsoft accounts , these are not same settings.  More details about these two policy settings can be found in Microsoft doc

– What happens when blocking Microsoft Account?

Last year when Maurice and I were doing Kiosk device presentation in MMS Jazz conference, we mentioned Microsoft Account cause issues to Kiosk device, D.C Tardy from Microsoft was kindly enough gave us more details of this topic and allow us share their work. Thanks a lot!

What the CSP (and GPO equivalent) does:

  • forbids applications using the web account manager (WAM) to authenticate using Microsoft account (MSA)

What the CSP (and GPO equivalent) does not perform:

Why it may work for you:

  • The applications you may be concerned about are the ones in Windows 10. The three we tested (mail, myphone, stickyNotes) are all using WAM. Additionally, Office (16.0.7967+), post Windows 1803 (RS4), uses WAM.
  • Additional applications could be controlled by AppLocker reducing risk by blocking unapproved applications
  • You may have a proxy server that includes data leakage protection (DLP) controls without the need to block

What we tested using the CSP and found to work:

  • Autopilot
  • Windows update
  • Office update

Additional caveats:

  • Minimum Office version implementing WAM and so honoring the CSP is 16.0.7967 with Win10 1803
  • There is a risk that the using this CSP may disable a feature you depend on now or in the future.

Microsoft Account Sign-In Assistant

Before you decide disable Microsoft Account Sign-In Assistant, read more details from Microsoft doc.  I quote this from Microsoft Doc

  • If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher
  • If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app

If you blocked Microsoft Account Sign-in Assistant, you will get the error “Something went wrong, please try again later”, error code 0x800706d9 when you try add a Microsoft account or Work or School account.

Disabling Microsoft Account Sign-in Assistant will also break your Autopilot pre-provisioning deployment.

After Autopilot pre-provisioning deployment succeeded, policy profiles are applied (MSA Assistant is disabled), you will see the nice green screen that everything is fine, and you can reseal the device. But when user happily turns on the device, they won’t see the “Welcome to your organization” sign-in page, instead, it will be a normal consumer sign-in screen.

Email & accounts settings

I personally don’t like disable Email & accounts settings, because this doesn’t restrict users from adding Microsoft account nor work/school account via Microsoft 365 apps. Instead, this will only restrict users from cleaning up those added accounts.

The setting can be found from the registry:



Intune Setting Catalog:

options

This setting can be found in registry 


“AllowSignInOptions”= dword:00000000” 

Or Intune Settings Catalog

Access work or school

In some case you might want to use this. For example if user has local administrator rights, and you don’t want user disconnect the device from their work account. Sure you will still need other restrictions as well, like use Applocker restrict access to PowerShell.exe, cmd.exe and so on. 

NOTE: This setting doesn’t restrict users from adding another work or school account via M365 365 apps. If you need to restrict this, please read this blog Are you tired of “Allow my organization to manage my device”? – MSEndpointMgr

Access work or school setting can be found in registry


AllowWorkplace”= dword:00000000

Or use Intune Settings Catalog


“Account Control” is very important, please test more before you configure any of them. I might still miss some information, let me know if there is anything else.

Sandy Zeng

Sandy is an Enterprise Mobility MVP since 2018. She is an experienced Information Technology Specialist for over 10 years. Skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. Sandy's interests are mostly related to Microsoft Technologies, she has passions learning new skill sets to improve her professional career and also as her hobbies. She uses her expertise to help customers achieve their goals and solve their issues.

Sandy founded the blog and is now a blogger on MSEndPointMgr.

Add comment


Categories use cookies to ensure that we give you the best experience on our website.