How to remove local admin privilege for user perfroming enrollment on AAD joined device?

Question

I am trying to remove the local admin privilege for users who performed self-enrolment to join device to AAD. It seems like I can't find those users in Azure Active Directory>Devices> Device Settings>Manage Additional local admin on all AAD joined devices. I tried the Account Protection Policy in Intune. But the end user was still able to run PowerShell as an admin, although in the overview tab of the policy it was successful for that user. I just attached a screenshot of the settings I used in the policy. Is this going to remove the local admin privilege?

Answer 1

There are multiple methods to remove a user from the local administrators group. Each option is a bit different.... maybe this blog is worth checking out

[https://call4cloud.nl/2021/04/dude-wheres-my-admin/

Answer 2

Hi @Gokul R Dev

Thank you for asking this question on the Microsoft Q&A Platform.

That rule will remove the local Administrator group, will not remove the user Administrator.

According to your explanation, the problem looks like you are allowing the end user Administrator privileges when they are performing the self-enrolment to join device to AAD

According to this table:

Source: [https://learn.microsoft.com/en-us/mem/intune/enrollment/enrollment-method-capab#capabilities-by-enrollment-method

It would be best if you implemented Autopilot with your implementation.

Hope this helps!

---

Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues. NOTE: To answer you as quickly as possible, please mention me in your reply.