Cannot get Intune to remove users as Administrators

Nirav Patel 0 Reputation points
2024-04-18T19:46:07.1+00:00

Screenshot 2024-04-18 152038

Hello

we are transitioning from AD to AZURE AD (not autopilot) and registering our devices with AZURE AD, and installing Intune from the Microsoft store on the endpoints afterword's, set to auto enrolment.

We noticed that when we join the device to azure using the users 365 email/password (all users are on e3) The user is made local administrator. We already have a local admin account which is local to the machine and not an azure account.

I learned that you can now use "account protection policy" in Intune to set who is admin, standard user....etc. I set up the policy (see image), created a group in entra id with users who were made admins on there machines and applied that group to the new policy in intune, and saved the policy.

when on an end user device (windows 11) we run a manual sync using the company portal app, sign out and back in. However the user is still administrator. I am not seeing any results in the audit log or reporting in the intune admin portal

I'm very new to Intune, the sys admin who started the setup for Intune has left so I'm not sure if I'm missing something or some other config profile or compliance policy needs to be set up?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,351 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,522 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nirav Patel 0 Reputation points
    2024-04-18T20:09:06.2466667+00:00

    all of our users were purely AD (no hybrid join) and a separate 365 account for email...ondrive...sharepoint. We are kicking end user devices off the domain one by one, reboot, log in as local admin and registering them into Entra by going into windows 10/11 settings>accounts>join work or school account> and clicking on alternative options and "join this device to Azure Active Directory" entering the users email and password, ms auth push. reboot and log in as the user using email and password after which the user is made an adminScreenshot 2024-04-18 160558

    0 comments
  2. ZhoumingDuan-MSFT 8,060 Reputation points Microsoft Vendor
    2024-04-19T02:28:53.18+00:00

    @Nirav Patel,Thanks for posting in Q&A.

    Based on my testing, we create the same policy and apply on my lab successfully.

    To clarify this issue, please check the following.

    1.The devices must run Windows 10 20H2 or later, or Windows 11.

    2.Check the policy status in Intune portal.

    3.Check if there exist some error message in Event Viewer.

    Location: Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin. Search for the LocalUsersAndGroups string to review the relevant details

    4.Please note that when you assign policy, it is suggested that you only assign it to all users or all devices, when you assign it to all users and devices at the same time, it may cause confusion in the application of the policy.

    5.To check whether the devices are purely AD, run CMD and enter dsregcmd /status to check the device state.

    Please check above information, if there is any update, feel free to let me know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.