Intune error when applying OMA URI LocalUsersAndGroups policy - najki78/publicStuff GitHub Wiki

Citing from article Policy CSP - LocalUsersAndGroups (https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups):

Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.

If you want to modify the membership in local groups on your devices (e.g. local Administrators, Remote Desktop Users, Remote Managemenet Users etc), you create Intune Configuration profile using OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure and provide XML file in the form Microsoft suggested.

Example:

<GroupConfiguration>
	<accessgroup desc = "S-1-5-32-580">
		<group action = "R"/> 
		<add member = "S-1-12-1-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
	</accessgroup>
	<accessgroup desc = "S-1-5-32-544">
		<group action = "U"/>
			<remove member = "defaultuser0" />
    <add member = "S-1-12-1-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
	</accessgroup>
</GroupConfiguration>

Important:

  • Use SIDs instead of names, especially for group names (the name might differ based on OS language) and whenever referencing Azure AD groups (using names for AzureAD groups is currently not supported at all)
  • Check Well-known SIDs article for SIDs of commonly used groups (https://docs.microsoft.com/en-us/windows/win32/secauthz/well-known-sids), e.g. local Administrators is always S-1-5-32-544 etc.

If, after applying the policy, you encounter on some devices...

Intune error:

  • ERROR CODE: 0x87d101f4
  • ERROR DETAILS: -2016345612 Syncml(500): The recipient encountered an unexpected condition which prevented it from fulfilling the request).

...and in log files in Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> DeviceManagement-Enterprise-Diagnostics-Provider:

  • Log Name: Microsoft-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
  • Source: DeviceManagement-Enterprise-Diagnostics-Provider
  • Event ID: 810
  • Level: Error
  • MDM PolicyManager: Set policy string, Policy: (Configure), Area: (LocalUsersAndGroups) ...Result: (0x80070534) No mapping between account names and security IDs was done.

To fix the issue, first of all, ensure all account names and SIDs are correct.

Second, remove all "" parts from XML. After XML is applied and removes the unneeded entries, then it starts reporting "No mapping between account names and security IDs was done." error. If you want to remove the group members, do it in some other way, e.g. using "net localgroup" or similar approach.

If this did not solve your issue, for further troubleshooting (locally on the affected device):

  • see the log in Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> DeviceManagement-Enterprise-Diagnostics-Provider
  • go to Settings -> "Access work or school", click on "Export...", it will show where the logs will be saved (it will be in a single CAB file) - or the same logs are generated from Intune -> Device -> Collect diagnostics
  • delete registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\LocalUsersAndGroups" (it will be recreated on next Sync)
  • on some devices it helped me to create the following registry value (it will gets deleted once the policy is applied) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device] "LocalUsersAndGroups_Dirty"=dword:00000001
  • re-sync the device by restarting "Microsoft Intune Management Extension" service (it can take more than 10 minutes after restart for the policy results to appear in the log) - or the same from Intune -> Device -> Sync

Big thanks to Hossam Remawi from Microsoft Support for help!