Windows lock script doesn't work for users who are Azure AD joined

[zayhanlon]

Fleet version: 4.52.0

Web browser and operating system: All

---

💥  Actual behavior

See comments and thread here: https://github.com/fleetdm/fleet/issues/18461 and the customer's weekly meeting agenda notes here (Fleet internal notes)

From the customer: The problem is that it relies on Get-LocalUser / Disable-LocalUser to disable the account, but a user logged in via Azure AD would not exist as a "local user".

Instead, it appears to only exist as a "profile", which will be logged off thanks to the beginning of the script, but not disabled.

I don't see the bit that would prevent the user from logging back in using its Azure AD credentials… The correct way of handling such a case appears to be Disable-ADAccount

🧑‍💻  Steps to reproduce

1. TODO
2. TODO

🕯️ More info (optional)

N/A

[zayhanlon]

@noahtalerman FYI - based on our 1-1, recreated a new clean bug report for the Azure AD joined user problem

[dantecatalfamo]

I'm looking into this right now. It appears that Disable-ADAccount is meant for managing ActiveDirectory accounts from on the AD server, not the client machine.

[dantecatalfamo]

It seems there's essentially no way to do this, using either official or unofficial methods. Microsoft really wants you to manage the status of ActiveDirectory user accounts from the ActiveDirectory server. I've tried modifying the Local Group Policy to disable Microsoft Accounts, both through the registry and using the GUI, but for whatever reason I'm still able to login using the account associated with the MDM enrolment, even after rebooting.

[dantecatalfamo]

I've tried disabling PIN login, deleting user data, modifying account registry keys, changing windows service objects using powershell, and a couple other things, and nothing has worked. It always tries to let you sign back in with the account associated with the MDM enrolment.

[dantecatalfamo]

Given how even Microsoft's own MDM doesn't support remote locking, the best we can do for the time being is disable remote credential caching and notify the admin that they will have to lock the active directory account. This is what other users online seem to do. Disabling cached logins means the user has to be connected to the internet to login, so they won't be able to go offline and continue to login.

[dantecatalfamo]

It seems Microsoft recommends wiping the device as an alternative to locking it

[dantecatalfamo]

Here is some of the resources I looked at in case anyone wants to try and pick this issue up in the future:

• https://superuser.com/questions/1716662/how-do-i-get-a-list-of-work-or-school-acounts-connected-to-my-windows-10-and
• https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-device-dsregcmd
• https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information
• https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
• https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-wmiinstance?view=powershell-5.1
• https://community.spiceworks.com/t/how-to-block-user-login-to-computer-using-cmd-or-powershell/942322/3
• https://stackoverflow.com/questions/75880017/disabling-a-windows-domain-user-account-on-a-single-device
• https://community.spiceworks.com/t/how-to-block-user-login-to-computer-using-cmd-or-powershell/942322/4
• https://community.spiceworks.com/t/messing-with-deny-log-on-locally/772947
• https://learn.microsoft.com/en-us/archive/msdn-technet-forums/110df5a0-bf87-4511-bd8c-d523258dca12
• https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information
• https://devblogs.microsoft.com/scripting/use-the-set-wmiinstance-powershell-cmdlet-to-ease-configuration/
• https://community.spiceworks.com/t/block-ad-user-to-login-on-computer/673476
• https://community.spiceworks.com/t/disable-login-with-pin-code-to-all-users-windows-11-pro/959880
• https://www.elevenforum.com/t/enable-or-disable-microsoft-accounts-in-windows-11.23799/
• https://serverfault.com/questions/450389/how-to-delete-domain-user-profile-from-a-computer
• https://community.spiceworks.com/t/remove-remote-userprofiles-with-ciminstance-issues/818216
• https://answers.microsoft.com/en-us/windows/forum/all/how-to-disable-and-remove-a-pin-via-powershell/e3148782-1102-47c2-8e45-92fef54382a4
• https://www.ninjaone.com/blog/windows-mdm-a-complete-guide/#:~:text=When%20a%20device%20is%20lost,reset%20the%20device%20if%20necessary.
• https://www.reddit.com/r/Intune/comments/18zapcu/intune_windows_devices_remote_lock_what_gives/
• https://learn.microsoft.com/en-us/mem/intune/remote-actions/device-remote-lock#:~:text=Remote%20lock%20isn%27t,Windows%2010%20desktop

[dantecatalfamo]

I've also disabled other non-MDM-Enroled from signing in once locked as part of the PR

[dantecatalfamo]

We may want to create a new issue to notify admins that they will have to lock the AD account if the click "lock" on an Autopilot-enabled enrolment. Perhaps also a warning on the Lock button that it will only lock local accounts and not the MDM-Assigned account

[dantecatalfamo]

@georgekarrv @marko-lisica

[zayhanlon]

We may want to create a new issue to notify admins that they will have to lock the AD account if the click "lock" on an Autopilot-enabled enrolment. Perhaps also a warning on the Lock button that it will only lock local accounts and not the MDM-Assigned account

@noahtalerman ^ thoughts on this? sounds like there's a challenge with closing this out and maybe it's not a bug but expected behavior according to microsoft?

[noahtalerman]

Hey @dantecatalfamo thanks for the detailed research!

If I'm understanding correctly, if an end user logs in to their Windows workstation w/ an Azure AD joined account, we have no way to lock it (prevent user from logging in)

And, if a Windows workstations automatically enrolls (via Azure AD or Autopilot) the end user logs in with their Azure AD joined account.

Thus, we have no way to lock all Windows workstations that automatically enroll.

Is that right?

[dantecatalfamo]

Hey @noahtalerman

If I'm understanding correctly, if an end user logs in to their Windows workstation w/ an Azure AD joined account, we have no way to lock it (prevent user from logging in)

That is correct.

And, if a Windows workstations automatically enrolls (via Azure AD or Autopilot) the end user logs in with their Azure AD joined account.

That is my understanding. It's possible there are some configurations that don't require users to sign in using their AD account, in which case they would be locked out when local accounts are disabled, but I haven't come across them.

Thus, we have no way to lock all Windows workstations that automatically enroll.

Is that right?

Yes

[samleb]

We've came up with an alternative solution that consists of disabling access to said device on Entra console itself.

I'm not sure how this can be integrated into your product, but this might be a solution (at least it's one for us in the meantime…)

[dantecatalfamo]

Hi @samleb,

This is the solution I described in the previous comments. We have no control over the Entra accounts from Fleet, so we disable cached logins instead. This means that the user will be forced to check in with the AD server (Entra) every time they want to login, making any lockout from the Entra console effectively instant and disallowing logging in without internet.

[PezHub]

QA Notes: Based on the above conversations and known limitations, I was able to test and confirm that the updated Fleet lock and unlock scripts work as intended, which can be leveraged with disabling access within Entra.

Lock script logs out the user, disables accounts, then restarts the computer

Unlock script enables the accounts and allows login

[fleet-release]

Azure users locked, Fleet's update, like spring's warmth, Brings secure login peace.