In this blog post, I will demonstrate an Intune policy to enable/disable Ctrl+Alt+Del key logon using Intune. Requiring Ctrl+Alt+Del at the Windows sign-in screen is the classic “secure attention sequence”. Microsoft’s guidance for this setting is straightforward: if users are not required to press Ctrl+Alt+Del, they can be more susceptible to credential interception attempts, while requiring it helps improve overall logon security.
The settings catalog policy to enable or disable the Ctrl + Alt + Del screen on Windows 11 computers is Interactive Logon Do Not Require CTRLALTDEL. By default, interactive logon is enabled, which means users are not required to press the Ctrl+Alt+Del keys to sign in.
If you are using Active Directory group policy instead of Microsoft Intune, then you can use the policy setting Interactive logon: Do not require CTRL + ALT+ DEL under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
| Profile type | Category | Setting | Status |
|---|---|---|---|
| Settings Catalog | Local Policies Security Options | Interactive Logon Do not Required CTRLALTDEL | Disabled: Users must press Ctrl+Alt+Del. Enabled: Users are not required to press Ctrl+Alt+Del. |
Contents
Method 1: Using Settings Catalog
Settings catalog is the cleanest way to manage Windows CSP-backed settings at scale, and it is Microsoft’s preferred modern approach for granular policy configuration.
- Sign in to Intune admin center > Devices > Windows > Configuration > Create > New Policy.
- Platform: Windows 10 and later, Profile type: Settings catalog
- Click Create.
- On the Basics tab, provide a Name and Description of the policy and click Next.
- On the Configuration settings tab, click on + Add settings and use the Settings picker to search using interactive logon keyword and select Local Policies Security Options. Check the policy Interactive Logon Do not Required CTRLALTDEL.
- Disabled: Users must press Ctrl+Alt+Del.
- Enabled: Users are not required to press Ctrl+Alt+Del.
Interactive logon: Do not require CTRL+ALT+DEL This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users’ passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. Default on stand-alone computers: Enabled.
About Interactive Logon Do not Required CTRLALTDEL policy setting
- Scope tags (optional): A scope tag in Intune is an RBAC label that you assign to resources such as policies, apps, and devices to control which administrators can view and manage them. For more information, see How to use scope tags in Intune.
- Assignments: Assign the policy to Microsoft Entra security groups that include the target users or devices. As a best practice, start with a small pilot group, and once validated, expand the assignment more broadly. For guidance on assignment strategy, see Intune assignments: User groups vs. device groups.
- Review + create: Review the deployment summary and click Create.
Method 2: Using OMA-URI Setting
Another method is to use the OMA-URI setting to enable or disable Ctrl + Alt + Del screen. Use below values when creating a custom device configuration profile.
- Name: InteractiveLogon_DoNotRequireCTRLALTDEL.
- Description: Add a description
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL
- Data type: Integer
- 0 = Disabled (requires Ctrl+Alt+Del)
- 1 = Enabled (do not require Ctrl+Alt+Del)
Monitoring Policy Deployment Progress
- Sign in to the Intune admin center > Devices > Configuration.
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on View report to access more detailed information.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
End User Experience
After Intune configuration policy has been applied successfully, restart your device once, and you will notice the logon screen message Press Ctrl+Alt+Delete to unlock. This confirms that the input policy is working fine.
