Share via

Prevent User being Admin after deploying with Intune and AutoPilot Deployment Profile.

Soeren 1 Reputation point
2023-11-27T12:07:05.26+00:00

Hello Community,

I am trying to setup our devices via Intune AutoPilot. I have set up a Deployment Profile and want our employees to "roll out" their device on their own.

That is working fine but the users are still admin after the roll out even though I configured the OOBE under account type to be "Standard" not "Admin" and the users are in no groups that would have any administrative rights.

I can imagine the system needing an admin account during roll out but after that the user should fall back to standard user or does Windows require an admin account to be always present?

And to piggy-back another question: how can I "downgrade" users that are already rolled out and still admin. Scripts I found on the web i could deploy always seem to target local admins, which I don't have as my user are cloud-managed.

Any help is appreciated. Thanks in advance.

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
423 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,543 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JatinMakhija 966 Reputation points
    2023-11-27T16:57:54.87+00:00

    Well, This is strange. As the Autopilot Profile is configured to make a user a Standard user, Instead of a Local admin user It should be a standard user. Please check "Additional local administrators on all Microsoft Entra joined devices." on the Entra admin center. Make sure users are not added to this group. https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin#manage-the-azure-ad-joined-device-local-administrator-role

    If the Autopilot profile does not work, you can take manual control of Local Administrator Group Membership on managed Windows 10 and Windows 11 devices by using the below steps:

    • Sign in to the Intune admin center.
    • Go to Endpoint Security > Account protection.
    • Click on Create Policy.
    • Platform: Windows 10 and later
    • Profile: Local user group membership and click on Create

    Configuration settings

    • Local group – Administrators
    • Group or user action – Add (Replace)
    • User selection type – Users/Groups
    • Selected users/groups – Click on Select users/group and select the user you want to add to the Local admin group on the target device.

    Use the option Add (Replace) and select all the users and groups you want in the Local admin group. Please make sure to add Global Administrator SID as well so that Global Admin remains administrator across all managed devices.

    Please note that the Add (Replace) option will replace all users/groups with what you select in your policy. So the overall management of Local administrator group membership now moves to this policy.

    For More Information refer to: https://cloudinfra.net/add-a-user-or-group-to-local-admin-using-intune/

    0 comments