diff --git a/intune/intune-service/protect/endpoint-security-account-protection-policy.md b/intune/intune-service/protect/endpoint-security-account-protection-policy.md
index ccbd2e82fe..e3ad73f044 100644
--- a/intune/intune-service/protect/endpoint-security-account-protection-policy.md
+++ b/intune/intune-service/protect/endpoint-security-account-protection-policy.md
@@ -74,6 +74,9 @@ Use the *Local user group membership* profile to manage the users that are membe
 > [!TIP]
 > To learn more about support for managing administrator privileges using Microsoft Entra groups, see [Manage administrator privileges using Microsoft Entra groups](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-microsoft-entra-groups-preview) in the Microsoft Entra documentation.
 
+> [!NOTE]
+> Microsoft Entra groups deployed to a device with this policy don't apply to remote desktop connections. To control remote desktop permissions for Microsoft Entra joined devices, you need to add the individual user's SID to the appropriate group.
+
 ### Configure the profile
 
 Use the *Local user group membership* profile mto manage the local group membership on devices through the Windows [Policy CSP - LocalUsersAndGroups](/windows/client-management/mdm/policy-csp-localusersandgroups?WT.mc_id=Portal-fx). The CSP documentation includes more details on how configurations apply, and an FAQ about the use of the CSP.