How to Disable the Guest Account with Microsoft Intune

How to Disable the Guest Account with Microsoft Intune

Disabling the Guest Account on Windows devices can help enhance security by preventing unauthorized users from accessing your devices. While the guest account is not typically used in enterprise environments, it may still be enabled on some devices by default. Fortunately, you can manage this setting using Microsoft Intune.

Here’s a step-by-step guide to disabling the Guest Account on Windows devices using Microsoft Intune.

Step 1: Create a Device Configuration Profile

1. Log in to the Microsoft Intune Admin Center at https://endpoint.microsoft.com.
2. Navigate to Devices → Configuration Profiles.
3. Click on + Create Profile.
4. Choose Windows 10 and later for the platform.
5. Select Device Restrictions for the profile type.
6. Click Create.

Step 2: Configure Restrictions to Disable the Guest Account

1. Profile Name: Enter a name for the profile (e.g., Disable Guest Account).
2. Under Configuration Settings, scroll down to the Local Device Security Options section.
3. Find the setting called Accounts: Guest account status.
4. Set the option to Disabled to turn off the guest account on the devices.
   • This setting will prevent the guest account from being used on the device.
   • If the guest account is already enabled, this policy will disable it immediately.

Step 3: Assign the Profile to Devices

1. After configuring the settings, click Next to proceed to the Assignments section.
2. Choose the device groups or user groups you want to apply this policy to.
3. Click Next to review your settings, then click Create to deploy the profile.

Step 4: Monitor the Deployment

1. Once the profile is deployed, go to Devices → Monitor → Device Configuration in the Intune Admin Center to check the deployment status.
2. Ensure that the policy has been successfully applied to the target devices.

Step 5: Verify on End Devices

1. After the policy is applied, verify that the Guest Account is disabled:
   • Go to Control Panel → User Accounts → Manage Accounts.
   • The Guest Account should no longer be listed or available.
2. Alternatively, you can run the following PowerShell command on the test device to check if the guest account is disabled:

   Get-LocalUser -Name "Guest"
   

   • The result should show the guest account as Disabled if the policy is correctly applied.

Conclusion

By creating a Device Configuration Profile in Microsoft Intune, you can easily disable the Guest Account on Windows devices, ensuring that only authorized users have access to your systems. This is an essential security measure for organizations looking to restrict unauthorized access and maintain compliance.