An account protection policy in Microsoft Intune is the correct tool for managing local group memberships on Windows devices. This policy is a feature of Intune's endpoint security capabilities and is designed to secure device accounts. Within the account protection policy, an administrator can create a profile for Local user group membership. This profile allows for granular control over built-in groups, including the local Administrators group. To achieve the goal, you would configure this policy to perform a "Remove (Update)" action, specifying User1 to be removed from the Administrators group. The policy is then assigned to all enrolled Windows 11 devices, enforcing the removal of User1's administrative privileges across the fleet.

A. a device compliance policy: The primary purpose of a device compliance policy is to assess and report on a device's adherence to corporate standards (e.g., OS version, disk encryption). It does not directly configure settings like local group membership. While it can mark a device as non-compliant if a user is in the wrong group, it does not perform the removal action itself. C. an app configuration policy: An app configuration policy is used to deliver settings to managed applications (e.g., pre-configuring settings for Microsoft Edge or Outlook). It operates at the application layer and has no capability to modify operating system-level settings such as local user group accounts.

Microsoft Learn | Intune Documentation: Manage local groups on Windows devices with

Microsoft Intune.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/local-user-group-membership

Reference: In the "Create a policy" section, Step 6 describes creating a profile for "Local

user group membership (Preview)". The table under this section details the "Local group"

setting and the "Group and user actions" including "Add (Update)", "Remove (Update)", and

"Replace". This directly addresses the requirement to remove a user.

Microsoft Learn | Intune Documentation: Overview of endpoint security policies in Microsoft

Intune.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-policy

Reference: The introductory paragraph states, "Endpoint security policies are designed to

help you focus on the security of your devices and mitigate risk." The "Account protection"

section explicitly mentions that these policies help protect user identities and accounts.

Microsoft Learn | Intune Documentation: Device compliance policies in Microsoft Intune.

URL: https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started

Reference: The first paragraph under "What are device compliance policies" explains their

function: "Device compliance policies are a key feature when using Intune to protect your

organization's resources. In its simplest form, a device compliance policy is a set of rules

and settings that a device must meet to be considered compliant." This confirms its role is

evaluation, not direct configuration of local groups.