Prevent User being Admin after deploying with Intune and AutoPilot Deployment Profile.

Question

Hello Community,

I am trying to setup our devices via Intune AutoPilot. I have set up a Deployment Profile and want our employees to "roll out" their device on their own.

That is working fine but the users are still admin after the roll out even though I configured the OOBE under account type to be "Standard" not "Admin" and the users are in no groups that would have any administrative rights.

I can imagine the system needing an admin account during roll out but after that the user should fall back to standard user or does Windows require an admin account to be always present?

And to piggy-back another question: how can I "downgrade" users that are already rolled out and still admin. Scripts I found on the web i could deploy always seem to target local admins, which I don't have as my user are cloud-managed.

Any help is appreciated. Thanks in advance.

Answer 1

Well, This is strange. As the Autopilot Profile is configured to make a user a Standard user, Instead of a Local admin user It should be a standard user. Please check "Additional local administrators on all Microsoft Entra joined devices." on the Entra admin center. Make sure users are not added to this group. https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin#manage-the-azure-ad-joined-device-local-administrator-role

If the Autopilot profile does not work, you can take manual control of Local Administrator Group Membership on managed Windows 10 and Windows 11 devices by using the below steps:

• Sign in to the Intune admin center.
• Go to Endpoint Security > Account protection.
• Click on Create Policy.
• Platform: Windows 10 and later
• Profile: Local user group membership and click on Create

Configuration settings

• Local group – Administrators
• Group or user action – Add (Replace)
• User selection type – Users/Groups
• Selected users/groups – Click on Select users/group and select the user you want to add to the Local admin group on the target device.

Use the option Add (Replace) and select all the users and groups you want in the Local admin group. Please make sure to add Global Administrator SID as well so that Global Admin remains administrator across all managed devices.

Please note that the Add (Replace) option will replace all users/groups with what you select in your policy. So the overall management of Local administrator group membership now moves to this policy.

For More Information refer to: https://cloudinfra.net/add-a-user-or-group-to-local-admin-using-intune/

Answer 2

1. Create a Configuration Policy in Intune:
   • In the Intune admin center, navigate to Devices > Windows >Configuration Profiles > Create profile. 
   • Select Platform: Windows 10 and later and Profile: Setting Catalog > Administrative Templates. 
   • Give the profile a descriptive name. 
   • Find the setting "Enumerate administrator accounts on elevation". Select it.
   • Set the setting to "Disabled". 
     
2. Assign the Policy:
   • In the Assignments section, choose the groups of devices or users that should receive this policy. (Recommended is Device based group)
   • Select Add and Next. 
3. Review and Create:
   • Review your settings and then select Create. 
     or use CSP:
     https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-credentialsui#enumerateadministrators Registry location for Intune is Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\CredentialsUI\EnumerateAdministrators for GPO: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI