question

TalhaAhmed-8531 avatar image
0 Votes"
TalhaAhmed-8531 asked TalhaAhmed-8531 commented

Restrict user to become a local admin on intune enrolled PC other than Auto pilot enrollment?

HI ,

Is there a possibility to enroll a device (other than Auto Pilot) where the enrollment user or any other user don't become a local admin on PC during the enrollment process. I know this can be done in Auto pilot but we don't want to reset the PCs at the moment? I checked DEM option as well where next user who login after enrollment may become local admin?
Thanks

mem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

CiciWu2-MSFT avatar image
0 Votes"
CiciWu2-MSFT answered TalhaAhmed-8531 commented

I have done some tests and find that autopilot is the only enrollment option to restrict user to become a local admin, that choose a standard user when assigning profile. Other enrollment, either BYOD or DEM with Company portal, will still let user to join local admin automatically. If you would like to restrict user as local admin, as a workaround, you can remove the user from local admin group after enrollment.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just to when DEM enroll the machine, wont they become a local admin and not the user who log after the enrollment done?

0 Votes 0 ·

I have done tests and find the DEM account will become local admin automatically after enrollment. Also, the next user who log in to the device will not be the local admin. See the screenshots below. I used cidi as DEM account to enroll windows 10. Then I log in as Crystal for the next log in the user.

101961-image.png
101839-image.png


1 Vote 1 ·
image.png (143.9 KiB)
image.png (53.2 KiB)

Excellent that's what I was looking for ! thanks

0 Votes 0 ·

Also, we have similar user requirements in the enterprise. Generally speaking, you can configure Policy CSP - LocalUsersAndGroups to manage the local admin group after enrollment. See: Policy CSP - LocalUsersAndGroups


1 Vote 1 ·

thanks I will look into it

0 Votes 0 ·