Removing local admin from multiple users using Endpoint Manager

Question

Removing local admin from multiple users using Endpoint Manager

Marcus Heimstad 1

Hi,

I'd like to remove Local Admin on a select group of users' devices.
I see that in Account Protection in Endpoint Manager there seems to be functionality for this, but I can't quite get it to work.

I've created a group, where I've added the Users that I'd like this to affect.
In Account Protection, I've created a policy to Remove Users/Group from Admin, and selected this group:

Then I have assigned this policy to the same group:

This does not work for me.
If I add the user directly in the "Remove Users/Group" - part, it works just fine. But it does not work if I'm using this group as "who should be removed".
It would make it very tedious to maintain if I have to manually add people to this policy every time we get a new employee that should not have local admin, instead of just having 1 group that serves as an assignment, as well as a "selector" for who should be removed.

Does anyone know what I'm doing wrong here?

Thanks! :)

1 answer

Your answer

Answer 1

Crystal-MSFT 53,981 Microsoft External Staff

@Marcus Heimstad , Thanks for posting in Q&A.

Based on my testing, I find if I add group under Remove (update). it will only remove the same group from the local administrators group. The user in the group will still be kept。 The same result as yours.

Therefore, if currently it is the user we want to remove from local administrators group， we need to add the user under remove(update). Or we can also consider the Add (Replace) action. It replaces the members of the selected groups with the new members you specify for this action.
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy#configure-the-profile

However, if the existing option didn't meet your requirement, you can try to feedback to Intune uservoice to improve the feature.
https://feedbackportal.microsoft.com/feedback/forum/ef1d6d38-fd1b-ec11-b6e7-0022481f8472

Thanks for your understanding.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Marcus Heimstad 1 Reputation point

2022-11-23T10:22:09.28+00:00

Hi @Crystal-MSFT , thanks for the answer!

Is it possible to Replace with an empty group?

Perhaps it is better if I explain my goal :P
I am trying to create a policy that I can deploy en-masse to our users that removes local admin for all those users
What is the easiest way to accomplish this? Hopefully I don't have to update this policy directly every time a user needs to be affected
I'm hoping I can create a policy, and an associated group, then add people to this group when they should get their local admin removed.

Thanks again for your time. :)
Marcus Heimstad 1 Reputation point

2022-11-23T10:22:53.91+00:00

To add onto this, is there perhaps some way I can create automation to add people to this policy? It does not necessarily have to be through a group I solve this
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2022-11-24T02:52:30.59+00:00

@Marcus Heimstad , Thanks for the reply.

Based as I know, the replace can't with empty value. The easiest way I can think is, we can created a group with the users we want to remove local sdmin permission. Assign the policy with replace set with your Azure AD admin group to ensure the members in this group have enough permission on the device in the future when it has issue.

To add the user automatically, you can check the Dynamic membership rule to see if there's any property can be used to automatically add your users.
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

Hope it can help.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2022-11-28T01:55:16.267+00:00

@Marcus Heimstad , Hope things are going well. I am wiring to see if there's anything else we can help. If yes, feel free to let us know.
Marcus Heimstad 1 Reputation point

2022-11-28T08:39:48.387+00:00

Hi!

I actually managed to solve this by Replacing with an empty group.
The net result is that no admin account is present locally, and perfectly fits my use-case. :)
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2022-11-28T09:35:53.123+00:00

@Marcus Heimstad , Thanks for your update. I am glad you find the method you want. If there's anything else we can help in the future, feel free to post in Q&A to discuss together.

Thanks for your time and have a nice day!

Share via

Removing local admin from multiple users using Endpoint Manager

1 answer

Your answer