![]() ![]() The security principals of the Global administrator and Azure AD joined device local administrator (previously named Device administrator) along with the end-user account performing the Azure AD join gets added to the local Administrators group on the endpoint. Method #1 – Allow local admin rights on Win 10 endpoints via Azure AD rolesįor Azure AD joined devices, by design, the security principals of the Global administrator and Azure AD joined device local administrator (previously named Device administrator) gets added to the local Administrators group on the endpoint. So let’s get to the main purpose of this blog post. You need to consider how an IT Helpdesk engineer is supposed to get elevated privilege on the endpoints if required for any service request, troubleshooting or break-fix scenario. ![]() Is the job done with the removal of local admin rights from the end-users? ![]() Use Net localgroup administrators “AzureAD\UserUPN” /add instead of Add-LocalGroupMember -Group “Administrators” -Member “AzureAD\UserUPN” as the latter has issues when run on remote endpoints. However, you can use a Powershell script deployment from Intune to remove the end-user account from the Local Administrators group on the endpoints. Those devices will have the user account which performed the join added to the Local Administrators group on the endpoint. What about existing non-autopilot provisioned Azure AD /Hybrid Azure AD joined devices? Note that controlling local admin rights via Autopilot works for new device provisioning only. How can you stop your end-users from gaining local admin rights on their workstations?Īs an Intune admin, you can prevent end-users from getting local admin privileges by using the Windows Autopilot device provisioning that allows you to provision the end-user account on the endpoint as a standard account. The above is true for Hybrid Join via Windows Autopilot unless you have configured the Autopilot profile to provision standard accounts.įrom a security perspective, you might be frowning at the thought of providing local administrator rights to the end-users. Irrespective of the join state, the user account performing the join is added to the local Administrators group on the endpoint. When discussing the local administrator account on MEM/Intune managed Windows 10 endpoints, we need to consider the two join states that the device can be in. Further considerations (if any, there are many…)ĭifferent ways to manage Windows 10 Local Admin accounts with Intune.Is it a good practice to set local admin accounts on the modern managed Windows 10 endpoints?.Use LocalUsersandGroups CSP starting Windows 10 20H2.Use Restricted Groups CSP from Windtill Windows 10 2004.Method #3 – Configure local admin via Intune using custom OMA-URI policy.Method #2 – Configure additional local admin via Device settings in Azure.Method #1 – Allow local admin rights on Win 10 endpoints via Azure AD roles.Different ways to manage Windows 10 Local Admin accounts with Intune.To create a local admin account, we would be creating a Custom device configuration profile and use Accounts configuration service provider ( Accounts CSP) to create a user account. ![]() Local admin account cloudinfraadmin created using Intune However, you can create a local admin user account by providing any name you like. Please follow the guide for step by step implementation of Windows LAPS on Azure AD using Intune: Implement Windows LAPS On Azure AD Devices Using Intune.Īs an example, We are going to create a local admin account called cloudinfraadmin. If you are managing a custom local admin account using Windows LAPS then you will need to create a local admin account first. You can refer to the blog post Create a local admin account on macOS using Intune to check the steps. Not only you can create a local admin account on a windows device using Intune, you can also easily create a local administrator account on a Mac device as well. You can easily create a local user account and then add it to Administrators group using Intune. Using Intune, you can create and manage local admin accounts on your Windows devices, which is particularly useful for managing devices that are not connected to a domain. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |