Share via

Need to convert from admin to standard account Intune enrolled devices

DM Kosala Randika Paranathala 76 Reputation points
2026-05-12T11:15:41.6933333+00:00

We currently have 700+ Windows Autopilot devices enrolled through Intune. During the initial setup, users were assigned as local administrators.

Now we want to change all devices to standard users (non-admin) and manage them as standalone corporate devices.

Could you please advise:

  • What is the best way to remove local admin rights from all existing devices?
  • Can this be done without resetting or re-enrolling devices?
  • What is the Microsoft recommended approach for large environments?
Microsoft Security | Intune | Configuration
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-05-12T11:16:10.2233333+00:00

    For existing Windows Autopilot devices enrolled in Intune where users are currently local administrators, Microsoft recommends moving to a least-privilege model by combining:

    1. Removal of local admin group membership via Intune policy, and
    2. Use of Endpoint Privilege Management (EPM) so users can still perform approved elevated actions as standard users.

    1. Best way to remove local admin rights from existing devices

    Use an Intune Endpoint Security “Account protection” policy with the Local user group membership profile to standardize and remove local admin rights:

    1. Sign in to the Microsoft Intune admin center.
    2. Go to Endpoint Security > Account protection.
    3. Select Create Policy and configure:
      • Platform: Windows
      • Profile: Local user group membership
    4. Name the policy (for example, Remove local admin rights (all users)).
    5. Add a rule:
      • Local group: Administrators
      • Group and user action: Add (Replace)
      • User selection type: Manual
    6. Add only the required Security Identifiers (SIDs), for example:
      • Global Administrator
      • Microsoft Entra Joined Device Local Administrator
    7. Assign the policy to the target device/user group (for example, all Autopilot devices or a specific group such as Developers).
    8. Save and monitor deployment.

    Using Add (Replace) ensures that only the specified SIDs remain in the local Administrators group, effectively removing end users from local admin.

    For more details on this profile, see the Account protection documentation referenced in context.

    2. Can this be done without resetting or re-enrolling devices?

    Yes. The Local user group membership policy applies to already-enrolled Windows devices and does not require:

    • Device reset
    • Re-enrollment
    • Re-running Autopilot

    Devices stay enrolled and managed; only the local group membership is changed by policy.

    For large environments, Microsoft guidance is to:

    1. Adopt least privilege using Endpoint Privilege Management (EPM)
      • Use EPM so users run as standard users while still being able to perform controlled elevated actions.
      • Follow the phased approach:
      Phase 1 – Auditing
      • Create an Elevation settings policy:
        1. Go to Endpoint Security > Endpoint Privilege Management > Policies.
        2. Create Policy with:
          • Platform: Windows
          • Profile: Elevation settings policy
        3. Name it (for example, EPM settings policy – Audit only).
        4. Under Privilege management elevation client settings:
          • Endpoint Privilege Management: Enabled
          • Default elevation response: Not Configured
          • Send elevation data for reporting: Yes
          • Reporting scope: Diagnostic data and all endpoint elevations
        5. Assign to a pilot group of devices/users.
        6. Verify on a device that the Microsoft EPM Agent Service is present, running, and set to Automatic.
      • Use the collected elevation data to understand which processes users elevate and to define personas (developers, IT support, etc.).
      Phase 4 – Remove local admin rights (after rules are in place)
      • Implement the Local user group membership policy described above to remove local admin rights.
      • Ensure the SIDs for Global Administrator and Microsoft Entra Joined Device Local Administrator remain so that IT can still manage devices.
      Phase 5 – Monitoring
      • Regularly review elevation reports.
      • Add unmanaged elevations to rules or deny them.
      • Monitor support-approved requests for delays or patterns.
      • Update rules when file versions or certificates change.
      • Retire or tighten outdated rules.
    2. Use Autopilot profiles for new devices
      • For new Autopilot deployments, configure the Autopilot deployment profile so that the default user account type is Standard instead of Administrator. This ensures new devices are provisioned with standard users from the start.
    3. Scale via groups
      • Target policies (EPM and Local user group membership) to device/user groups that map to roles (e.g., developers, IT support, general users) for controlled rollout.

    This combination—standard users enforced via Local user group membership plus EPM for controlled elevation—is the recommended pattern for large environments to reduce local admin usage while maintaining productivity.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.