Disable sign in to Windows device (fast)

The quickest method of disabling sign-in to a Windows PC with Intune without wiping it is through the Remote Lock feature, which instantly signs out the user and needs an admin to unlock. Another method is to flag the device as non-compliant, which can activate Conditional Access policies to block sign-ins. Disabling Windows Hello for Business (WHfB) via Account Protection policies might assist, but cached PINs can still grant local access. To further limit access, revoking the user from local access groups and rotating the BitLocker key (if encryption is being used) can block unauthorized access to files.

add the script below to a remediation, so that you can run it on demand (we just put the script in detection script).

#set regkey values
Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\System -Name "AllowDomainPINLogon" -Value 0
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions -Name "value" -Value 0

#take ownership of necessary folder and remove contents

Start-Process cmd -ArgumentList '/s,/c,takeown /f C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /r /d y & icacls C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /grant administrators:F /t & RD /S /Q C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc & MD C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc & icacls C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /T /Q /C /RESET' -Verb runAs