How to Control Sign-in Input Methods on Windows Login Screen Using Intune

Start by logging into the Microsoft Intune admin center to create a new configuration profile. This will be the foundation for controlling sign-in input methods.

https://endpoint.microsoft.com

Sign in with your Global Administrator or Intune Service Administrator credentials. Navigate to Devices > Configuration profiles > Create profile. Select Platform: Windows 10 and later and Profile type: Settings catalog, then click Create.

Name your profile something descriptive like "Windows Sign-in Input Method Control" and add a description explaining its purpose for your organization.

Since direct input method control isn't available in Intune, we'll use user rights assignment as a proxy to control who can sign in, which indirectly affects input method usage.

In the Settings catalog configuration, click Add settings and search for "User Rights". Select Allow local logon from the results. This setting controls which users or groups can sign in locally to the device.

Setting: User Rights Assignment > Allow local logon
Configuration: Specify allowed users/groups
Example entries:
- Administrators
- Domain Users
- user1@yourdomain.com

Configure the setting to include only the users or groups that should have access to the sign-in screen. You can add multiple entries by clicking the plus icon.

To control keyboard layouts and input methods more directly, we'll add custom OMA-URI settings that target specific registry keys related to input methods.

In your Settings catalog profile, click Add settings again and search for "Custom". Select Custom OMA-URI from the results.

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/TextInput/AllowKeyboardTextSuggestions
Data type: Integer
Value: 0

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/TextInput/AllowInputMethodSwitching
Data type: Integer
Value: 0

Add these OMA-URI settings to restrict text suggestions and input method switching. The first setting disables keyboard text suggestions, while the second prevents users from switching between different input methods during sign-in.

For additional control over keyboard layouts, add this OMA-URI:

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
Data type: Integer
Value: 1

This ensures that Intune policies take precedence over any conflicting Group Policy settings.

Implement Windows Hello for Business to standardize authentication methods and reduce reliance on traditional keyboard input during sign-in.

Navigate to Devices > Windows > Windows enrollment > Windows Hello for Business. This is a tenant-wide policy that you'll configure once for your entire organization.

Windows Hello for Business Configuration:
{
  "UseHelloForBusiness": "Enabled",
  "RequireSecurityDevice": "TPM 2.0",
  "MinimumPINLength": 6,
  "MaximumPINLength": 127,
  "AllowBiometrics": "Enabled",
  "UseCertificateForOnPremAuth": "Enabled"
}

Alternatively, you can configure this through a Settings catalog profile by searching for "Windows Hello for Business" and enabling the following settings:

• Use Windows Hello for Business: Enabled
• Minimum PIN length: 6
• Use biometrics: Enabled
• Require security device: TPM 2.0

Configure Web Sign-in to provide an alternative authentication method that bypasses traditional keyboard input methods entirely.

In your Settings catalog profile, add another setting by searching for "Web Sign In". Select Enable Web Sign In and set it to Enabled.

Setting: Authentication > Enable Web Sign In
Value: Enabled

Additional Web Sign-in Settings:
- Allow Web Sign In for secondary authentication: Enabled
- Web Sign In allowed URLs: https://login.microsoftonline.com/*

This enables users to click a "Sign-in options" link on the login screen and authenticate through a web browser, which provides better control over the authentication experience.

You can also add URL restrictions to ensure users only authenticate through approved Microsoft endpoints:

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/AllowWebSignIn
Data type: Integer
Value: 1

Configure scope tags and assign your profile to specific device or user groups to control the deployment scope.

Click Next to proceed to the Scope tags section. If you use scope tags in your organization, add the appropriate tags. For most organizations, you can leave this section empty and click Next.

In the Assignments section, configure your target groups:

Assignment Options:
1. Include groups: Select specific Azure AD groups
2. Exclude groups: Exclude pilot or test groups
3. Filter: Use device filters if needed

Example Assignment:
Include: "Corporate Devices - Windows"
Exclude: "IT Admin Devices"
Filter: (device.deviceOwnership -eq "Corporate")

Select Add groups and choose the Azure AD groups containing the devices where you want to enforce input method control. Consider starting with a pilot group before rolling out organization-wide.

Review all your configuration settings before deploying the profile to ensure everything is configured correctly.

Click Next to reach the Review + create section. Verify all your settings:

Profile Review Checklist:
✓ Profile name and description are clear
✓ User Rights Assignment configured correctly
✓ Custom OMA-URI settings added
✓ Windows Hello for Business enabled
✓ Web Sign-in configured
✓ Target groups assigned
✓ Scope tags applied (if used)

Click Create to deploy the profile. The profile will begin deploying to assigned devices immediately.

Monitor the deployment status by navigating to Devices > Configuration profiles and selecting your newly created profile. Click on Device status to see deployment progress.

Verify that your input method controls are working correctly by testing on target devices.

On a target device, sign out and return to the Windows login screen. Test the following scenarios:

# Check applied policies on the device
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\TextInput" -Name "AllowInputMethodSwitching"

# Verify Windows Hello for Business enrollment
certlm.msc
# Navigate to Personal > Certificates and look for Windows Hello for Business certificates

# Check Web Sign-in availability
# Look for "Sign-in options" link on login screen

Test these specific scenarios:

• Attempt to switch keyboard layouts using Alt+Shift
• Try accessing input method settings during sign-in
• Verify that only authorized users can sign in locally
• Test Windows Hello for Business authentication
• Confirm Web Sign-in functionality

Users who are not in the allowed groups should see the message: "The sign-in method you are trying to use is not allowed."

Set up monitoring and troubleshooting procedures to ensure ongoing compliance with your input method policies.

Navigate to Devices > Compliance to monitor overall device compliance. For specific profile monitoring, go to Devices > Configuration profiles and select your input method control profile.

# PowerShell commands for troubleshooting on client devices

# Check Intune policy sync status
Get-ScheduledTask | Where-Object {$_.TaskName -like "*Intune*"}

# Force policy sync
Start-ScheduledTask -TaskName "Microsoft\Windows\EnterpriseMgmt\[GUID]\Schedule created by enrollment client"

# Check event logs for policy application
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)}

Common troubleshooting steps:

• Policy conflicts: Check for conflicting Group Policy settings using gpresult /h report.html
• Enrollment issues: Verify device enrollment status in Intune admin center
• Authentication problems: Ensure TPM 2.0 is enabled for Windows Hello for Business
• Web Sign-in failures: Check network connectivity and firewall rules for Microsoft authentication endpoints